relay.c (132195B)
1 /* Copyright (c) 2001 Matej Pfajfar. 2 * Copyright (c) 2001-2004, Roger Dingledine. 3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. 4 * Copyright (c) 2007-2021, The Tor Project, Inc. */ 5 /* See LICENSE for licensing information */ 6 7 /** 8 * \file relay.c 9 * \brief Handle relay cell encryption/decryption, plus packaging and 10 * receiving from circuits, plus queuing on circuits. 11 * 12 * This is a core modules that makes Tor work. It's responsible for 13 * dealing with RELAY cells (the ones that travel more than one hop along a 14 * circuit), by: 15 * <ul> 16 * <li>constructing relays cells, 17 * <li>encrypting relay cells, 18 * <li>decrypting relay cells, 19 * <li>demultiplexing relay cells as they arrive on a connection, 20 * <li>queueing relay cells for retransmission, 21 * <li>or handling relay cells that are for us to receive (as an exit or a 22 * client). 23 * </ul> 24 * 25 * RELAY cells are generated throughout the code at the client or relay side, 26 * using relay_send_command_from_edge() or one of the functions like 27 * connection_edge_send_command() that calls it. Of particular interest is 28 * connection_edge_package_raw_inbuf(), which takes information that has 29 * arrived on an edge connection socket, and packages it as a RELAY_DATA cell 30 * -- this is how information is actually sent across the Tor network. The 31 * cryptography for these functions is handled deep in 32 * circuit_package_relay_cell(), which either adds a single layer of 33 * encryption (if we're an exit), or multiple layers (if we're the origin of 34 * the circuit). After construction and encryption, the RELAY cells are 35 * passed to append_cell_to_circuit_queue(), which queues them for 36 * transmission and tells the circuitmux (see circuitmux.c) that the circuit 37 * is waiting to send something. 38 * 39 * Incoming RELAY cells arrive at circuit_receive_relay_cell(), called from 40 * command.c. There they are decrypted and, if they are for us, are passed to 41 * connection_edge_process_relay_cell(). If they're not for us, they're 42 * re-queued for retransmission again with append_cell_to_circuit_queue(). 43 * 44 * The connection_edge_process_relay_cell() function handles all the different 45 * types of relay cells, launching requests or transmitting data as needed. 46 **/ 47 48 #include "lib/log/log.h" 49 #define RELAY_PRIVATE 50 #include "core/or/or.h" 51 #include "feature/client/addressmap.h" 52 #include "lib/err/backtrace.h" 53 #include "lib/buf/buffers.h" 54 #include "core/or/channel.h" 55 #include "feature/client/circpathbias.h" 56 #include "core/or/circuitbuild.h" 57 #include "core/or/circuitlist.h" 58 #include "core/or/circuituse.h" 59 #include "core/or/circuitpadding.h" 60 #include "core/or/extendinfo.h" 61 #include "lib/compress/compress.h" 62 #include "app/config/config.h" 63 #include "core/mainloop/connection.h" 64 #include "core/or/connection_edge.h" 65 #include "core/or/connection_or.h" 66 #include "feature/control/control_events.h" 67 #include "lib/crypt_ops/crypto_rand.h" 68 #include "lib/crypt_ops/crypto_util.h" 69 #include "feature/dircommon/directory.h" 70 #include "feature/relay/dns.h" 71 #include "feature/relay/circuitbuild_relay.h" 72 #include "feature/stats/geoip_stats.h" 73 #include "feature/hs/hs_cache.h" 74 #include "core/mainloop/mainloop.h" 75 #include "feature/nodelist/networkstatus.h" 76 #include "feature/nodelist/nodelist.h" 77 #include "core/or/onion.h" 78 #include "core/or/policies.h" 79 #include "core/or/reasons.h" 80 #include "core/or/relay.h" 81 #include "core/crypto/relay_crypto.h" 82 #include "feature/rend/rendcommon.h" 83 #include "feature/nodelist/describe.h" 84 #include "feature/nodelist/routerlist.h" 85 #include "core/or/scheduler.h" 86 #include "feature/hs/hs_metrics.h" 87 #include "feature/stats/rephist.h" 88 #include "core/or/relay_msg.h" 89 90 #include "core/or/cell_st.h" 91 #include "core/or/cell_queue_st.h" 92 #include "core/or/cpath_build_state_st.h" 93 #include "feature/dircommon/dir_connection_st.h" 94 #include "core/or/destroy_cell_queue_st.h" 95 #include "core/or/entry_connection_st.h" 96 #include "core/or/extend_info_st.h" 97 #include "core/or/or_circuit_st.h" 98 #include "core/or/origin_circuit_st.h" 99 #include "feature/nodelist/routerinfo_st.h" 100 #include "core/or/socks_request_st.h" 101 #include "core/or/sendme.h" 102 #include "core/or/congestion_control_common.h" 103 #include "core/or/congestion_control_flow.h" 104 #include "core/or/conflux.h" 105 #include "core/or/conflux_util.h" 106 #include "core/or/conflux_pool.h" 107 #include "core/or/relay_msg_st.h" 108 109 static edge_connection_t *relay_lookup_conn(circuit_t *circ, 110 const relay_msg_t *msg, 111 cell_direction_t cell_direction, 112 crypt_path_t *layer_hint); 113 114 static void circuit_resume_edge_reading(circuit_t *circ, 115 crypt_path_t *layer_hint); 116 static int circuit_resume_edge_reading_helper(edge_connection_t *conn, 117 circuit_t *circ, 118 crypt_path_t *layer_hint); 119 static int circuit_consider_stop_edge_reading(circuit_t *circ, 120 crypt_path_t *layer_hint); 121 static int circuit_queue_streams_are_blocked(circuit_t *circ); 122 static void adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ, 123 entry_connection_t *conn, 124 node_t *node, 125 const tor_addr_t *addr); 126 static int connection_edge_process_ordered_relay_cell(const relay_msg_t *msg, 127 circuit_t *circ, 128 edge_connection_t *conn, 129 crypt_path_t *layer_hint); 130 static void set_block_state_for_streams(circuit_t *circ, 131 edge_connection_t *stream_list, 132 int block, streamid_t stream_id); 133 134 /** Stats: how many relay cells have originated at this hop, or have 135 * been relayed onward (not recognized at this hop)? 136 */ 137 uint64_t stats_n_relay_cells_relayed = 0; 138 /** Stats: how many relay cells have been delivered to streams at this 139 * hop? 140 */ 141 uint64_t stats_n_relay_cells_delivered = 0; 142 /** Stats: how many circuits have we closed due to the cell queue limit being 143 * reached (see append_cell_to_circuit_queue()) */ 144 uint64_t stats_n_circ_max_cell_reached = 0; 145 uint64_t stats_n_circ_max_cell_outq_reached = 0; 146 147 /** 148 * Update channel usage state based on the type of relay cell and 149 * circuit properties. 150 * 151 * This is needed to determine if a client channel is being 152 * used for application traffic, and if a relay channel is being 153 * used for multihop circuits and application traffic. The decision 154 * to pad in channelpadding.c depends upon this info (as well as 155 * consensus parameters) to decide what channels to pad. 156 */ 157 static void 158 circuit_update_channel_usage(circuit_t *circ, cell_t *cell) 159 { 160 if (CIRCUIT_IS_ORIGIN(circ)) { 161 /* 162 * The client state was first set much earlier in 163 * circuit_send_next_onion_skin(), so we can start padding as early as 164 * possible. 165 * 166 * However, if padding turns out to be expensive, we may want to not do 167 * it until actual application traffic starts flowing (which is controlled 168 * via consensus param nf_pad_before_usage). 169 * 170 * So: If we're an origin circuit and we've created a full length circuit, 171 * then any CELL_RELAY cell means application data. Increase the usage 172 * state of the channel to indicate this. 173 * 174 * We want to wait for CELL_RELAY specifically here, so we know that 175 * the channel was definitely being used for data and not for extends. 176 * By default, we pad as soon as a channel has been used for *any* 177 * circuits, so this state is irrelevant to the padding decision in 178 * the default case. However, if padding turns out to be expensive, 179 * we would like the ability to avoid padding until we're absolutely 180 * sure that a channel is used for enough application data to be worth 181 * padding. 182 * 183 * (So it does not matter that CELL_RELAY_EARLY can actually contain 184 * application data. This is only a load reducing option and that edge 185 * case does not matter if we're desperately trying to reduce overhead 186 * anyway. See also consensus parameter nf_pad_before_usage). 187 */ 188 if (BUG(!circ->n_chan)) 189 return; 190 191 if (circ->n_chan->channel_usage == CHANNEL_USED_FOR_FULL_CIRCS && 192 cell->command == CELL_RELAY) { 193 circ->n_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC; 194 } 195 } else { 196 /* If we're a relay circuit, the question is more complicated. Basically: 197 * we only want to pad connections that carry multihop (anonymous) 198 * circuits. 199 * 200 * We assume we're more than one hop if either the previous hop 201 * is not a client, or if the previous hop is a client and there's 202 * a next hop. Then, circuit traffic starts at RELAY_EARLY, and 203 * user application traffic starts when we see RELAY cells. 204 */ 205 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); 206 207 if (BUG(!or_circ->p_chan)) 208 return; 209 210 if (!channel_is_client(or_circ->p_chan) || 211 (channel_is_client(or_circ->p_chan) && circ->n_chan)) { 212 if (cell->command == CELL_RELAY_EARLY) { 213 if (or_circ->p_chan->channel_usage < CHANNEL_USED_FOR_FULL_CIRCS) { 214 or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_FULL_CIRCS; 215 } 216 } else if (cell->command == CELL_RELAY) { 217 or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC; 218 } 219 } 220 } 221 } 222 223 /** Receive a relay cell: 224 * - Crypt it (encrypt if headed toward the origin or if we <b>are</b> the 225 * origin; decrypt if we're headed toward the exit). 226 * - Check if recognized (if exitward). 227 * - If recognized and the digest checks out, then find if there's a stream 228 * that the cell is intended for, and deliver it to the right 229 * connection_edge. 230 * - If not recognized, then we need to relay it: append it to the appropriate 231 * cell_queue on <b>circ</b>. 232 * 233 * Return -<b>reason</b> on failure, else 0. 234 */ 235 int 236 circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, 237 cell_direction_t cell_direction) 238 { 239 channel_t *chan = NULL; 240 crypt_path_t *layer_hint=NULL; 241 char recognized=0; 242 int reason; 243 244 tor_assert(cell); 245 tor_assert(circ); 246 tor_assert(cell_direction == CELL_DIRECTION_OUT || 247 cell_direction == CELL_DIRECTION_IN); 248 if (circ->marked_for_close) 249 return 0; 250 251 if (relay_decrypt_cell(circ, cell, cell_direction, &layer_hint, &recognized) 252 < 0) { 253 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 254 "relay crypt failed. Dropping connection."); 255 return -END_CIRC_REASON_INTERNAL; 256 } 257 258 circuit_update_channel_usage(circ, cell); 259 260 if (recognized) { 261 edge_connection_t *conn = NULL; 262 relay_cell_fmt_t format = circuit_get_relay_format(circ, layer_hint); 263 264 relay_msg_t msg_buf; 265 if (relay_msg_decode_cell_in_place(format, cell, &msg_buf) < 0) { 266 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 267 "Received undecodable relay cell"); 268 return -END_CIRC_REASON_TORPROTOCOL; 269 } 270 const relay_msg_t *msg = &msg_buf; 271 272 if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) { 273 if (pathbias_check_probe_response(circ, msg) == -1) { 274 pathbias_count_valid_cells(circ, msg); 275 } 276 277 /* We need to drop this cell no matter what to avoid code that expects 278 * a certain purpose (such as the hidserv code). */ 279 return 0; 280 } 281 282 conn = relay_lookup_conn(circ, msg, cell_direction, layer_hint); 283 if (cell_direction == CELL_DIRECTION_OUT) { 284 ++stats_n_relay_cells_delivered; 285 log_debug(LD_OR,"Sending away from origin."); 286 reason = connection_edge_process_relay_cell(msg, circ, conn, NULL); 287 if (reason < 0) { 288 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 289 "connection_edge_process_relay_cell (away from origin) " 290 "failed."); 291 return reason; 292 } 293 } else if (cell_direction == CELL_DIRECTION_IN) { 294 ++stats_n_relay_cells_delivered; 295 log_debug(LD_OR,"Sending to origin."); 296 reason = connection_edge_process_relay_cell(msg, circ, conn, 297 layer_hint); 298 if (reason < 0) { 299 /* If a client is trying to connect to unknown hidden service port, 300 * END_CIRC_AT_ORIGIN is sent back so we can then close the circuit. 301 * Do not log warn as this is an expected behavior for a service. */ 302 if (reason != END_CIRC_AT_ORIGIN) { 303 log_warn(LD_OR, 304 "connection_edge_process_relay_cell (at origin) failed."); 305 } 306 return reason; 307 } 308 } 309 return 0; 310 } 311 312 /* not recognized. inform circpad and pass it on. */ 313 circpad_deliver_unrecognized_cell_events(circ, cell_direction); 314 315 if (cell_direction == CELL_DIRECTION_OUT) { 316 cell->circ_id = circ->n_circ_id; /* switch it */ 317 chan = circ->n_chan; 318 } else if (! CIRCUIT_IS_ORIGIN(circ)) { 319 cell->circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; /* switch it */ 320 chan = TO_OR_CIRCUIT(circ)->p_chan; 321 } else { 322 log_fn(LOG_PROTOCOL_WARN, LD_OR, 323 "Dropping unrecognized inbound cell on origin circuit."); 324 /* If we see unrecognized cells on path bias testing circs, 325 * it's bad mojo. Those circuits need to die. 326 * XXX: Shouldn't they always die? */ 327 if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) { 328 TO_ORIGIN_CIRCUIT(circ)->path_state = PATH_STATE_USE_FAILED; 329 return -END_CIRC_REASON_TORPROTOCOL; 330 } else { 331 return 0; 332 } 333 } 334 335 if (!chan) { 336 // XXXX Can this splice stuff be done more cleanly? 337 if (! CIRCUIT_IS_ORIGIN(circ) && 338 TO_OR_CIRCUIT(circ)->rend_splice && 339 cell_direction == CELL_DIRECTION_OUT) { 340 or_circuit_t *splice_ = TO_OR_CIRCUIT(circ)->rend_splice; 341 tor_assert(circ->purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED); 342 tor_assert(splice_->base_.purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED); 343 cell->circ_id = splice_->p_circ_id; 344 cell->command = CELL_RELAY; /* can't be relay_early anyway */ 345 if ((reason = circuit_receive_relay_cell(cell, TO_CIRCUIT(splice_), 346 CELL_DIRECTION_IN)) < 0) { 347 log_info(LD_REND, "Error relaying cell across rendezvous; closing " 348 "circuits"); 349 return reason; 350 } 351 return 0; 352 } 353 if (BUG(CIRCUIT_IS_ORIGIN(circ))) { 354 /* Should be impossible at this point. */ 355 return -END_CIRC_REASON_TORPROTOCOL; 356 } 357 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); 358 if (++or_circ->n_cells_discarded_at_end == 1) { 359 time_t seconds_open = approx_time() - circ->timestamp_created.tv_sec; 360 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 361 "Didn't recognize a cell, but circ stops here! Closing circuit. " 362 "It was created %ld seconds ago.", (long)seconds_open); 363 } 364 return -END_CIRC_REASON_TORPROTOCOL; 365 } 366 367 log_debug(LD_OR,"Passing on unrecognized cell."); 368 369 ++stats_n_relay_cells_relayed; /* XXXX no longer quite accurate {cells} 370 * we might kill the circ before we relay 371 * the cells. */ 372 373 if (append_cell_to_circuit_queue(circ, chan, cell, cell_direction, 0) < 0) { 374 return -END_CIRC_REASON_RESOURCELIMIT; 375 } 376 return 0; 377 } 378 379 /** Package a relay cell from an edge: 380 * - Encrypt it to the right layer 381 * - Append it to the appropriate cell_queue on <b>circ</b>. 382 * 383 * Return 1 if the cell was successfully sent as in queued on the circuit. 384 * Return 0 if the cell needs to be dropped as in ignored. 385 * Return -1 on error for which the circuit should be marked for close. */ 386 MOCK_IMPL(int, 387 circuit_package_relay_cell, (cell_t *cell, circuit_t *circ, 388 cell_direction_t cell_direction, 389 crypt_path_t *layer_hint, streamid_t on_stream, 390 const char *filename, int lineno)) 391 { 392 channel_t *chan; /* where to send the cell */ 393 394 if (circ->marked_for_close) { 395 /* Circuit is marked; send nothing. */ 396 return 0; 397 } 398 399 if (cell_direction == CELL_DIRECTION_OUT) { 400 chan = circ->n_chan; 401 if (!chan) { 402 log_warn(LD_BUG,"outgoing relay cell sent from %s:%d has n_chan==NULL." 403 " Dropping. Circuit is in state %s (%d), and is " 404 "%smarked for close. (%s:%d, %d)", filename, lineno, 405 circuit_state_to_string(circ->state), circ->state, 406 circ->marked_for_close ? "" : "not ", 407 circ->marked_for_close_file?circ->marked_for_close_file:"", 408 circ->marked_for_close, circ->marked_for_close_reason); 409 if (CIRCUIT_IS_ORIGIN(circ)) { 410 circuit_log_path(LOG_WARN, LD_BUG, TO_ORIGIN_CIRCUIT(circ)); 411 } 412 log_backtrace(LOG_WARN,LD_BUG,""); 413 return 0; /* just drop it */ 414 } 415 if (!CIRCUIT_IS_ORIGIN(circ)) { 416 log_warn(LD_BUG,"outgoing relay cell sent from %s:%d on non-origin " 417 "circ. Dropping.", filename, lineno); 418 log_backtrace(LOG_WARN,LD_BUG,""); 419 return 0; /* just drop it */ 420 } 421 422 relay_encrypt_cell_outbound(cell, TO_ORIGIN_CIRCUIT(circ), layer_hint); 423 424 /* Update circ written totals for control port */ 425 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 426 ocirc->n_written_circ_bw = tor_add_u32_nowrap(ocirc->n_written_circ_bw, 427 CELL_PAYLOAD_SIZE); 428 429 } else { /* incoming cell */ 430 if (CIRCUIT_IS_ORIGIN(circ)) { 431 /* We should never package an _incoming_ cell from the circuit 432 * origin; that means we messed up somewhere. */ 433 log_warn(LD_BUG,"incoming relay cell at origin circuit. Dropping."); 434 assert_circuit_ok(circ); 435 return 0; /* just drop it */ 436 } 437 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); 438 relay_encrypt_cell_inbound(cell, or_circ); 439 chan = or_circ->p_chan; 440 } 441 ++stats_n_relay_cells_relayed; 442 443 return append_cell_to_circuit_queue(circ, chan, cell, 444 cell_direction, on_stream); 445 } 446 447 /** If cell's stream_id matches the stream_id of any conn that's 448 * attached to circ, return that conn, else return NULL. 449 */ 450 static edge_connection_t * 451 relay_lookup_conn(circuit_t *circ, const relay_msg_t *msg, 452 cell_direction_t cell_direction, crypt_path_t *layer_hint) 453 { 454 edge_connection_t *tmpconn; 455 456 if (!msg->stream_id) 457 return NULL; 458 459 /* IN or OUT cells could have come from either direction, now 460 * that we allow rendezvous *to* an OP. 461 */ 462 if (CIRCUIT_IS_ORIGIN(circ)) { 463 for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn; 464 tmpconn=tmpconn->next_stream) { 465 if (msg->stream_id == tmpconn->stream_id && 466 !tmpconn->base_.marked_for_close && 467 edge_uses_cpath(tmpconn, layer_hint)) { 468 log_debug(LD_APP,"found conn for stream %d.", msg->stream_id); 469 return tmpconn; 470 } 471 } 472 } else { 473 for (tmpconn = TO_OR_CIRCUIT(circ)->n_streams; tmpconn; 474 tmpconn=tmpconn->next_stream) { 475 if (msg->stream_id == tmpconn->stream_id && 476 !tmpconn->base_.marked_for_close) { 477 log_debug(LD_EXIT,"found conn for stream %d.", msg->stream_id); 478 if (cell_direction == CELL_DIRECTION_OUT || 479 connection_edge_is_rendezvous_stream(tmpconn)) 480 return tmpconn; 481 } 482 } 483 for (tmpconn = TO_OR_CIRCUIT(circ)->resolving_streams; tmpconn; 484 tmpconn=tmpconn->next_stream) { 485 if (msg->stream_id == tmpconn->stream_id && 486 !tmpconn->base_.marked_for_close) { 487 log_debug(LD_EXIT,"found conn for stream %d.", msg->stream_id); 488 return tmpconn; 489 } 490 } 491 } 492 return NULL; /* probably a begin relay cell */ 493 } 494 495 #ifdef TOR_UNIT_TESTS 496 /** Pack the relay_header_t host-order structure <b>src</b> into 497 * network-order in the buffer <b>dest</b>. See tor-spec.txt for details 498 * about the wire format. 499 */ 500 void 501 relay_header_pack(uint8_t *dest, const relay_header_t *src) 502 { 503 set_uint8(dest, src->command); 504 set_uint16(dest+1, htons(src->recognized)); 505 set_uint16(dest+3, htons(src->stream_id)); 506 memcpy(dest+5, src->integrity, 4); 507 set_uint16(dest+9, htons(src->length)); 508 } 509 510 /** Unpack the network-order buffer <b>src</b> into a host-order 511 * relay_header_t structure <b>dest</b>. 512 */ 513 void 514 relay_header_unpack(relay_header_t *dest, const uint8_t *src) 515 { 516 dest->command = get_uint8(src); 517 dest->recognized = ntohs(get_uint16(src+1)); 518 dest->stream_id = ntohs(get_uint16(src+3)); 519 memcpy(dest->integrity, src+5, 4); 520 dest->length = ntohs(get_uint16(src+9)); 521 } 522 #endif 523 524 /** Convert the relay <b>command</b> into a human-readable string. */ 525 const char * 526 relay_command_to_string(uint8_t command) 527 { 528 static char buf[64]; 529 switch (command) { 530 case RELAY_COMMAND_BEGIN: return "BEGIN"; 531 case RELAY_COMMAND_DATA: return "DATA"; 532 case RELAY_COMMAND_END: return "END"; 533 case RELAY_COMMAND_CONNECTED: return "CONNECTED"; 534 case RELAY_COMMAND_SENDME: return "SENDME"; 535 case RELAY_COMMAND_EXTEND: return "EXTEND"; 536 case RELAY_COMMAND_EXTENDED: return "EXTENDED"; 537 case RELAY_COMMAND_TRUNCATE: return "TRUNCATE"; 538 case RELAY_COMMAND_TRUNCATED: return "TRUNCATED"; 539 case RELAY_COMMAND_DROP: return "DROP"; 540 case RELAY_COMMAND_RESOLVE: return "RESOLVE"; 541 case RELAY_COMMAND_RESOLVED: return "RESOLVED"; 542 case RELAY_COMMAND_BEGIN_DIR: return "BEGIN_DIR"; 543 case RELAY_COMMAND_ESTABLISH_INTRO: return "ESTABLISH_INTRO"; 544 case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: return "ESTABLISH_RENDEZVOUS"; 545 case RELAY_COMMAND_INTRODUCE1: return "INTRODUCE1"; 546 case RELAY_COMMAND_INTRODUCE2: return "INTRODUCE2"; 547 case RELAY_COMMAND_RENDEZVOUS1: return "RENDEZVOUS1"; 548 case RELAY_COMMAND_RENDEZVOUS2: return "RENDEZVOUS2"; 549 case RELAY_COMMAND_INTRO_ESTABLISHED: return "INTRO_ESTABLISHED"; 550 case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED: 551 return "RENDEZVOUS_ESTABLISHED"; 552 case RELAY_COMMAND_INTRODUCE_ACK: return "INTRODUCE_ACK"; 553 case RELAY_COMMAND_EXTEND2: return "EXTEND2"; 554 case RELAY_COMMAND_EXTENDED2: return "EXTENDED2"; 555 case RELAY_COMMAND_PADDING_NEGOTIATE: return "PADDING_NEGOTIATE"; 556 case RELAY_COMMAND_PADDING_NEGOTIATED: return "PADDING_NEGOTIATED"; 557 case RELAY_COMMAND_CONFLUX_LINK: return "CONFLUX_LINK"; 558 case RELAY_COMMAND_CONFLUX_LINKED: return "CONFLUX_LINKED"; 559 case RELAY_COMMAND_CONFLUX_LINKED_ACK: return "CONFLUX_LINKED_ACK"; 560 case RELAY_COMMAND_CONFLUX_SWITCH: return "CONFLUX_SWITCH"; 561 default: 562 tor_snprintf(buf, sizeof(buf), "Unrecognized relay command %u", 563 (unsigned)command); 564 return buf; 565 } 566 } 567 568 /** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and send 569 * it onto the open circuit <b>circ</b>. <b>stream_id</b> is the ID on 570 * <b>circ</b> for the stream that's sending the relay cell, or 0 if it's a 571 * control cell. <b>cpath_layer</b> is NULL for OR->OP cells, or the 572 * destination hop for OP->OR cells. 573 * 574 * If you can't send the cell, mark the circuit for close and return -1. Else 575 * return 0. 576 */ 577 MOCK_IMPL(int, 578 relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *orig_circ, 579 uint8_t relay_command, const char *payload, 580 size_t payload_len, crypt_path_t *cpath_layer, 581 const char *filename, int lineno)) 582 { 583 cell_t cell; 584 cell_direction_t cell_direction; 585 circuit_t *circ = orig_circ; 586 587 /* If conflux is enabled, decide which leg to send on, and use that */ 588 if (orig_circ->conflux && conflux_should_multiplex(relay_command)) { 589 circ = conflux_decide_circ_for_send(orig_circ->conflux, orig_circ, 590 relay_command); 591 if (!circ) { 592 /* Something is wrong with the conflux set. We are done. */ 593 return -1; 594 } 595 /* Conflux circuits always send multiplexed relay commands to 596 * to the last hop. (Non-multiplexed commands go on their 597 * original circuit and hop). */ 598 cpath_layer = conflux_get_destination_hop(circ); 599 } 600 601 /* This is possible because we have protocol error paths when deciding the 602 * next circuit to send which can close the whole set. Bail out early. */ 603 if (circ->marked_for_close) { 604 return -1; 605 } 606 607 /* XXXX NM Split this function into a separate versions per circuit type? */ 608 609 tor_assert(circ); 610 611 size_t msg_body_len; 612 { 613 relay_cell_fmt_t cell_format = circuit_get_relay_format(circ, cpath_layer); 614 relay_msg_t msg = {0}; 615 if (payload_len > 616 relay_cell_max_payload_size(cell_format, relay_command)) { 617 // TODO CGO: Rate-limit this? 618 log_warn(LD_BUG, "Tried to send a command %d of length %d in " 619 "a v%d cell, from %s:%d", 620 (int)relay_command, (int)payload_len, (int)cell_format, 621 filename, lineno); 622 circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); 623 return -1; 624 } 625 626 msg.command = relay_command; 627 msg.stream_id = stream_id; 628 msg.length = payload_len; 629 msg.body = (const uint8_t *) payload; 630 msg_body_len = msg.length; 631 // If this cell should be RELAY_EARLY, we'll change the type 632 // later in this function. 633 msg.is_relay_early = false; 634 635 if (relay_msg_encode_cell(cell_format, &msg, &cell) < 0) { 636 // We already called IF_BUG_ONCE in relay_msg_encode_cell. 637 circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); 638 return -1; 639 } 640 } 641 642 cell.command = CELL_RELAY; 643 if (CIRCUIT_IS_ORIGIN(circ)) { 644 tor_assert(cpath_layer); 645 cell.circ_id = circ->n_circ_id; 646 cell_direction = CELL_DIRECTION_OUT; 647 } else { 648 tor_assert(! cpath_layer); 649 cell.circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; 650 cell_direction = CELL_DIRECTION_IN; 651 } 652 653 log_debug(LD_OR,"delivering %d cell %s.", relay_command, 654 cell_direction == CELL_DIRECTION_OUT ? "forward" : "backward"); 655 656 /* Tell circpad we're sending a relay cell */ 657 circpad_deliver_sent_relay_cell_events(circ, relay_command); 658 659 /* If we are sending an END cell and this circuit is used for a tunneled 660 * directory request, advance its state. */ 661 if (relay_command == RELAY_COMMAND_END && circ->dirreq_id) 662 geoip_change_dirreq_state(circ->dirreq_id, DIRREQ_TUNNELED, 663 DIRREQ_END_CELL_SENT); 664 665 if (cell_direction == CELL_DIRECTION_OUT && circ->n_chan) { 666 /* if we're using relaybandwidthrate, this conn wants priority */ 667 channel_timestamp_client(circ->n_chan); 668 } 669 670 if (cell_direction == CELL_DIRECTION_OUT) { 671 origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ); 672 if (origin_circ->remaining_relay_early_cells > 0 && 673 (relay_command == RELAY_COMMAND_EXTEND || 674 relay_command == RELAY_COMMAND_EXTEND2 || 675 cpath_layer != origin_circ->cpath)) { 676 /* If we've got any relay_early cells left and (we're sending 677 * an extend cell or we're not talking to the first hop), use 678 * one of them. Don't worry about the conn protocol version: 679 * append_cell_to_circuit_queue will fix it up. */ 680 cell.command = CELL_RELAY_EARLY; 681 /* If we're out of relay early cells, tell circpad */ 682 if (--origin_circ->remaining_relay_early_cells == 0) 683 circpad_machine_event_circ_has_no_relay_early(origin_circ); 684 log_debug(LD_OR, "Sending a RELAY_EARLY cell; %d remaining.", 685 (int)origin_circ->remaining_relay_early_cells); 686 /* Memorize the command that is sent as RELAY_EARLY cell; helps debug 687 * task 878. */ 688 origin_circ->relay_early_commands[ 689 origin_circ->relay_early_cells_sent++] = relay_command; 690 } else if (relay_command == RELAY_COMMAND_EXTEND || 691 relay_command == RELAY_COMMAND_EXTEND2) { 692 /* If no RELAY_EARLY cells can be sent over this circuit, log which 693 * commands have been sent as RELAY_EARLY cells before; helps debug 694 * task 878. */ 695 smartlist_t *commands_list = smartlist_new(); 696 int i = 0; 697 char *commands = NULL; 698 for (; i < origin_circ->relay_early_cells_sent; i++) 699 smartlist_add(commands_list, (char *) 700 relay_command_to_string(origin_circ->relay_early_commands[i])); 701 commands = smartlist_join_strings(commands_list, ",", 0, NULL); 702 log_warn(LD_BUG, "Uh-oh. We're sending a RELAY_COMMAND_EXTEND cell, " 703 "but we have run out of RELAY_EARLY cells on that circuit. " 704 "Commands sent before: %s", commands); 705 tor_free(commands); 706 smartlist_free(commands_list); 707 } 708 709 /* Let's assume we're well-behaved: Anything that we decide to send is 710 * valid, delivered data. */ 711 circuit_sent_valid_data(origin_circ, msg_body_len); 712 } 713 714 int ret = circuit_package_relay_cell(&cell, circ, cell_direction, 715 cpath_layer, stream_id, filename, 716 lineno); 717 if (ret < 0) { 718 circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); 719 return -1; 720 } else if (ret == 0) { 721 /* This means we should drop the cell or that the circuit was already 722 * marked for close. At this point in time, we do NOT close the circuit if 723 * the cell is dropped. It is not the case with arti where each circuit 724 * protocol violation will lead to closing the circuit. */ 725 return 0; 726 } 727 728 /* At this point, we are certain that the cell was queued on the circuit and 729 * thus will be sent on the wire. */ 730 731 if (circ->conflux) { 732 conflux_note_cell_sent(circ->conflux, circ, relay_command); 733 } 734 735 /* If applicable, note the cell digest for the SENDME version 1 purpose if 736 * we need to. This call needs to be after the circuit_package_relay_cell() 737 * because the cell digest is set within that function. */ 738 if (relay_command == RELAY_COMMAND_DATA) { 739 sendme_record_cell_digest_on_circ(circ, cpath_layer); 740 741 /* Handle the circuit-level SENDME package window. */ 742 if (sendme_note_circuit_data_packaged(circ, cpath_layer) < 0) { 743 /* Package window has gone under 0. Protocol issue. */ 744 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 745 "Circuit package window is below 0. Closing circuit."); 746 circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL); 747 return -1; 748 } 749 } 750 751 return 0; 752 } 753 754 /** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and 755 * send it onto the open circuit <b>circ</b>. <b>fromconn</b> is the stream 756 * that's sending the relay cell, or NULL if it's a control cell. 757 * <b>cpath_layer</b> is NULL for OR->OP cells, or the destination hop 758 * for OP->OR cells. 759 * 760 * If you can't send the cell, mark the circuit for close and 761 * return -1. Else return 0. 762 */ 763 int 764 connection_edge_send_command(edge_connection_t *fromconn, 765 uint8_t relay_command, const char *payload, 766 size_t payload_len) 767 { 768 /* XXXX NM Split this function into a separate versions per circuit type? */ 769 circuit_t *circ; 770 crypt_path_t *cpath_layer = fromconn->cpath_layer; 771 tor_assert(fromconn); 772 773 circ = fromconn->on_circuit; 774 775 if (fromconn->base_.marked_for_close) { 776 log_warn(LD_BUG, 777 "called on conn that's already marked for close at %s:%d.", 778 fromconn->base_.marked_for_close_file, 779 fromconn->base_.marked_for_close); 780 return 0; 781 } 782 783 if (!circ) { 784 if (fromconn->base_.type == CONN_TYPE_AP) { 785 log_info(LD_APP,"no circ. Closing conn."); 786 connection_mark_unattached_ap(EDGE_TO_ENTRY_CONN(fromconn), 787 END_STREAM_REASON_INTERNAL); 788 } else { 789 log_info(LD_EXIT,"no circ. Closing conn."); 790 fromconn->edge_has_sent_end = 1; /* no circ to send to */ 791 fromconn->end_reason = END_STREAM_REASON_INTERNAL; 792 connection_mark_for_close(TO_CONN(fromconn)); 793 } 794 return -1; 795 } 796 797 if (circ->marked_for_close) { 798 /* The circuit has been marked, but not freed yet. When it's freed, it 799 * will mark this connection for close. */ 800 return -1; 801 } 802 803 #ifdef MEASUREMENTS_21206 804 /* Keep track of the number of RELAY_DATA cells sent for directory 805 * connections. */ 806 connection_t *linked_conn = TO_CONN(fromconn)->linked_conn; 807 808 if (linked_conn && linked_conn->type == CONN_TYPE_DIR) { 809 ++(TO_DIR_CONN(linked_conn)->data_cells_sent); 810 } 811 #endif /* defined(MEASUREMENTS_21206) */ 812 813 return relay_send_command_from_edge(fromconn->stream_id, circ, 814 relay_command, payload, 815 payload_len, cpath_layer); 816 } 817 818 /** How many times will I retry a stream that fails due to DNS 819 * resolve failure or misc error? 820 */ 821 #define MAX_RESOLVE_FAILURES 3 822 823 /** Return 1 if reason is something that you should retry if you 824 * get the end cell before you've connected; else return 0. */ 825 static int 826 edge_reason_is_retriable(int reason) 827 { 828 return reason == END_STREAM_REASON_HIBERNATING || 829 reason == END_STREAM_REASON_RESOURCELIMIT || 830 reason == END_STREAM_REASON_EXITPOLICY || 831 reason == END_STREAM_REASON_RESOLVEFAILED || 832 reason == END_STREAM_REASON_MISC || 833 reason == END_STREAM_REASON_NOROUTE; 834 } 835 836 /** Called when we receive an END cell on a stream that isn't open yet, 837 * from the client side. 838 * Arguments are as for connection_edge_process_relay_cell(). 839 */ 840 static int 841 connection_ap_process_end_not_open( 842 const relay_msg_t *msg, origin_circuit_t *circ, 843 entry_connection_t *conn, crypt_path_t *layer_hint) 844 { 845 node_t *exitrouter; 846 int reason = get_uint8(msg->body); 847 int control_reason; 848 edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn); 849 (void) layer_hint; /* unused */ 850 851 if (msg->length > 0) { 852 if (reason == END_STREAM_REASON_TORPROTOCOL || 853 reason == END_STREAM_REASON_DESTROY) { 854 /* Both of these reasons could mean a failed tag 855 * hit the exit and it complained. Do not probe. 856 * Fail the circuit. */ 857 circ->path_state = PATH_STATE_USE_FAILED; 858 return -END_CIRC_REASON_TORPROTOCOL; 859 } else if (reason == END_STREAM_REASON_INTERNAL) { 860 /* We can't infer success or failure, since older Tors report 861 * ENETUNREACH as END_STREAM_REASON_INTERNAL. */ 862 } else { 863 /* Path bias: If we get a valid reason code from the exit, 864 * it wasn't due to tagging. 865 * 866 * We rely on recognized+digest being strong enough to make 867 * tags unlikely to allow us to get tagged, yet 'recognized' 868 * reason codes here. */ 869 pathbias_mark_use_success(circ); 870 } 871 } 872 873 /* This end cell is now valid. */ 874 circuit_read_valid_data(circ, msg->length); 875 876 if (msg->length == 0) { 877 reason = END_STREAM_REASON_MISC; 878 } 879 880 control_reason = reason | END_STREAM_REASON_FLAG_REMOTE; 881 882 if (edge_reason_is_retriable(reason) && 883 /* avoid retry if rend */ 884 !connection_edge_is_rendezvous_stream(edge_conn)) { 885 const char *chosen_exit_digest = 886 circ->build_state->chosen_exit->identity_digest; 887 log_info(LD_APP,"Address '%s' refused due to '%s'. Considering retrying.", 888 safe_str(conn->socks_request->address), 889 stream_end_reason_to_string(reason)); 890 exitrouter = node_get_mutable_by_id(chosen_exit_digest); 891 switch (reason) { 892 case END_STREAM_REASON_EXITPOLICY: { 893 tor_addr_t addr; 894 tor_addr_make_unspec(&addr); 895 if (msg->length >= 5) { 896 int ttl = -1; 897 tor_addr_make_unspec(&addr); 898 if (msg->length == 5 || msg->length == 9) { 899 tor_addr_from_ipv4n(&addr, get_uint32(msg->body + 1)); 900 if (msg->length == 9) 901 ttl = (int)ntohl(get_uint32(msg->body + 5)); 902 } else if (msg->length == 17 || msg->length == 21) { 903 tor_addr_from_ipv6_bytes(&addr, msg->body + 1); 904 if (msg->length == 21) 905 ttl = (int)ntohl(get_uint32(msg->body + 17)); 906 } 907 if (tor_addr_is_null(&addr)) { 908 log_info(LD_APP,"Address '%s' resolved to 0.0.0.0. Closing,", 909 safe_str(conn->socks_request->address)); 910 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); 911 return 0; 912 } 913 914 if ((tor_addr_family(&addr) == AF_INET && 915 !conn->entry_cfg.ipv4_traffic) || 916 (tor_addr_family(&addr) == AF_INET6 && 917 !conn->entry_cfg.ipv6_traffic)) { 918 log_fn(LOG_PROTOCOL_WARN, LD_APP, 919 "Got an EXITPOLICY failure on a connection with a " 920 "mismatched family. Closing."); 921 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); 922 return 0; 923 } 924 if (get_options()->ClientDNSRejectInternalAddresses && 925 tor_addr_is_internal(&addr, 0)) { 926 log_info(LD_APP,"Address '%s' resolved to internal. Closing,", 927 safe_str(conn->socks_request->address)); 928 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); 929 return 0; 930 } 931 932 client_dns_set_addressmap(conn, 933 conn->socks_request->address, &addr, 934 conn->chosen_exit_name, ttl); 935 936 { 937 char new_addr[TOR_ADDR_BUF_LEN]; 938 tor_addr_to_str(new_addr, &addr, sizeof(new_addr), 1); 939 if (strcmp(conn->socks_request->address, new_addr)) { 940 strlcpy(conn->socks_request->address, new_addr, 941 sizeof(conn->socks_request->address)); 942 control_event_stream_status(conn, STREAM_EVENT_REMAP, 0); 943 } 944 } 945 } 946 /* check if the exit *ought* to have allowed it */ 947 948 adjust_exit_policy_from_exitpolicy_failure(circ, 949 conn, 950 exitrouter, 951 &addr); 952 953 if (conn->chosen_exit_optional || 954 conn->chosen_exit_retries) { 955 /* stop wanting a specific exit */ 956 conn->chosen_exit_optional = 0; 957 /* A non-zero chosen_exit_retries can happen if we set a 958 * TrackHostExits for this address under a port that the exit 959 * relay allows, but then try the same address with a different 960 * port that it doesn't allow to exit. We shouldn't unregister 961 * the mapping, since it is probably still wanted on the 962 * original port. But now we give away to the exit relay that 963 * we probably have a TrackHostExits on it. So be it. */ 964 conn->chosen_exit_retries = 0; 965 tor_free(conn->chosen_exit_name); /* clears it */ 966 } 967 if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0) 968 return 0; 969 /* else, conn will get closed below */ 970 break; 971 } 972 case END_STREAM_REASON_CONNECTREFUSED: 973 if (!conn->chosen_exit_optional) 974 break; /* break means it'll close, below */ 975 /* Else fall through: expire this circuit, clear the 976 * chosen_exit_name field, and try again. */ 977 FALLTHROUGH; 978 case END_STREAM_REASON_RESOLVEFAILED: 979 case END_STREAM_REASON_TIMEOUT: 980 case END_STREAM_REASON_MISC: 981 case END_STREAM_REASON_NOROUTE: 982 if (client_dns_incr_failures(conn->socks_request->address) 983 < MAX_RESOLVE_FAILURES) { 984 /* We haven't retried too many times; reattach the connection. */ 985 circuit_log_path(LOG_INFO,LD_APP,circ); 986 /* Mark this circuit "unusable for new streams". */ 987 mark_circuit_unusable_for_new_conns(circ); 988 989 if (conn->chosen_exit_optional) { 990 /* stop wanting a specific exit */ 991 conn->chosen_exit_optional = 0; 992 tor_free(conn->chosen_exit_name); /* clears it */ 993 } 994 if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0) 995 return 0; 996 /* else, conn will get closed below */ 997 } else { 998 log_notice(LD_APP, 999 "Have tried resolving or connecting to address '%s' " 1000 "at %d different places. Giving up.", 1001 safe_str(conn->socks_request->address), 1002 MAX_RESOLVE_FAILURES); 1003 /* clear the failures, so it will have a full try next time */ 1004 client_dns_clear_failures(conn->socks_request->address); 1005 } 1006 break; 1007 case END_STREAM_REASON_HIBERNATING: 1008 case END_STREAM_REASON_RESOURCELIMIT: 1009 if (exitrouter) { 1010 policies_set_node_exitpolicy_to_reject_all(exitrouter); 1011 } 1012 if (conn->chosen_exit_optional) { 1013 /* stop wanting a specific exit */ 1014 conn->chosen_exit_optional = 0; 1015 tor_free(conn->chosen_exit_name); /* clears it */ 1016 } 1017 if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0) 1018 return 0; 1019 /* else, will close below */ 1020 break; 1021 } /* end switch */ 1022 log_info(LD_APP,"Giving up on retrying; conn can't be handled."); 1023 } 1024 1025 log_info(LD_APP, 1026 "Edge got end (%s) before we're connected. Marking for close.", 1027 stream_end_reason_to_string(msg->length > 0 ? reason : -1)); 1028 circuit_log_path(LOG_INFO,LD_APP,circ); 1029 /* need to test because of detach_retriable */ 1030 if (!ENTRY_TO_CONN(conn)->marked_for_close) 1031 connection_mark_unattached_ap(conn, control_reason); 1032 return 0; 1033 } 1034 1035 /** Called when we have gotten an END_REASON_EXITPOLICY failure on <b>circ</b> 1036 * for <b>conn</b>, while attempting to connect via <b>node</b>. If the node 1037 * told us which address it rejected, then <b>addr</b> is that address; 1038 * otherwise it is AF_UNSPEC. 1039 * 1040 * If we are sure the node should have allowed this address, mark the node as 1041 * having a reject *:* exit policy. Otherwise, mark the circuit as unusable 1042 * for this particular address. 1043 **/ 1044 static void 1045 adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ, 1046 entry_connection_t *conn, 1047 node_t *node, 1048 const tor_addr_t *addr) 1049 { 1050 int make_reject_all = 0; 1051 const sa_family_t family = tor_addr_family(addr); 1052 1053 if (node) { 1054 tor_addr_t tmp; 1055 int asked_for_family = tor_addr_parse(&tmp, conn->socks_request->address); 1056 if (family == AF_UNSPEC) { 1057 make_reject_all = 1; 1058 } else if (node_exit_policy_is_exact(node, family) && 1059 asked_for_family != -1 && !conn->chosen_exit_name) { 1060 make_reject_all = 1; 1061 } 1062 1063 if (make_reject_all) { 1064 log_info(LD_APP, 1065 "Exitrouter %s seems to be more restrictive than its exit " 1066 "policy. Not using this router as exit for now.", 1067 node_describe(node)); 1068 policies_set_node_exitpolicy_to_reject_all(node); 1069 } 1070 } 1071 1072 if (family != AF_UNSPEC) 1073 addr_policy_append_reject_addr(&circ->prepend_policy, addr); 1074 } 1075 1076 /** Helper: change the socks_request->address field on conn to the 1077 * dotted-quad representation of <b>new_addr</b>, 1078 * and send an appropriate REMAP event. */ 1079 static void 1080 remap_event_helper(entry_connection_t *conn, const tor_addr_t *new_addr) 1081 { 1082 tor_addr_to_str(conn->socks_request->address, new_addr, 1083 sizeof(conn->socks_request->address), 1084 1); 1085 control_event_stream_status(conn, STREAM_EVENT_REMAP, 1086 REMAP_STREAM_SOURCE_EXIT); 1087 } 1088 1089 /** Extract the contents of a connected cell in <b>cell</b>, whose relay 1090 * header has already been parsed into <b>rh</b>. On success, set 1091 * <b>addr_out</b> to the address we're connected to, and <b>ttl_out</b> to 1092 * the ttl of that address, in seconds, and return 0. On failure, return 1093 * -1. 1094 * 1095 * Note that the resulting address can be UNSPEC if the connected cell had no 1096 * address (as for a stream to an union service or a tunneled directory 1097 * connection), and that the ttl can be absent (in which case <b>ttl_out</b> 1098 * is set to -1). */ 1099 STATIC int 1100 connected_cell_parse(const relay_msg_t *msg, tor_addr_t *addr_out, 1101 int *ttl_out) 1102 { 1103 uint32_t bytes; 1104 const uint8_t *payload = msg->body; 1105 1106 tor_addr_make_unspec(addr_out); 1107 *ttl_out = -1; 1108 if (msg->length == 0) 1109 return 0; 1110 if (msg->length < 4) 1111 return -1; 1112 bytes = ntohl(get_uint32(payload)); 1113 1114 /* If bytes is 0, this is maybe a v6 address. Otherwise it's a v4 address */ 1115 if (bytes != 0) { 1116 /* v4 address */ 1117 tor_addr_from_ipv4h(addr_out, bytes); 1118 if (msg->length >= 8) { 1119 bytes = ntohl(get_uint32(payload + 4)); 1120 if (bytes <= INT32_MAX) 1121 *ttl_out = bytes; 1122 } 1123 } else { 1124 if (msg->length < 25) /* 4 bytes of 0s, 1 addr, 16 ipv4, 4 ttl. */ 1125 return -1; 1126 if (get_uint8(payload + 4) != 6) 1127 return -1; 1128 tor_addr_from_ipv6_bytes(addr_out, (payload + 5)); 1129 bytes = ntohl(get_uint32(payload + 21)); 1130 if (bytes <= INT32_MAX) 1131 *ttl_out = (int) bytes; 1132 } 1133 return 0; 1134 } 1135 1136 /** Drop all storage held by <b>addr</b>. */ 1137 STATIC void 1138 address_ttl_free_(address_ttl_t *addr) 1139 { 1140 if (!addr) 1141 return; 1142 tor_free(addr->hostname); 1143 tor_free(addr); 1144 } 1145 1146 /** Parse a resolved cell in <b>cell</b>, with parsed header in <b>rh</b>. 1147 * Return -1 on parse error. On success, add one or more newly allocated 1148 * address_ttl_t to <b>addresses_out</b>; set *<b>errcode_out</b> to 1149 * one of 0, RESOLVED_TYPE_ERROR, or RESOLVED_TYPE_ERROR_TRANSIENT, and 1150 * return 0. */ 1151 STATIC int 1152 resolved_cell_parse(const relay_msg_t *msg, smartlist_t *addresses_out, 1153 int *errcode_out) 1154 { 1155 const uint8_t *cp; 1156 uint8_t answer_type; 1157 size_t answer_len; 1158 address_ttl_t *addr; 1159 size_t remaining; 1160 int errcode = 0; 1161 smartlist_t *addrs; 1162 1163 tor_assert(msg); 1164 tor_assert(addresses_out); 1165 tor_assert(errcode_out); 1166 1167 *errcode_out = 0; 1168 1169 if (msg->length > RELAY_PAYLOAD_SIZE_MAX) 1170 return -1; 1171 1172 addrs = smartlist_new(); 1173 1174 cp = msg->body; 1175 1176 remaining = msg->length; 1177 while (remaining) { 1178 const uint8_t *cp_orig = cp; 1179 if (remaining < 2) 1180 goto err; 1181 answer_type = *cp++; 1182 answer_len = *cp++; 1183 if (remaining < 2 + answer_len + 4) { 1184 goto err; 1185 } 1186 if (answer_type == RESOLVED_TYPE_IPV4) { 1187 if (answer_len != 4) { 1188 goto err; 1189 } 1190 addr = tor_malloc_zero(sizeof(*addr)); 1191 tor_addr_from_ipv4n(&addr->addr, get_uint32(cp)); 1192 cp += 4; 1193 addr->ttl = ntohl(get_uint32(cp)); 1194 cp += 4; 1195 smartlist_add(addrs, addr); 1196 } else if (answer_type == RESOLVED_TYPE_IPV6) { 1197 if (answer_len != 16) 1198 goto err; 1199 addr = tor_malloc_zero(sizeof(*addr)); 1200 tor_addr_from_ipv6_bytes(&addr->addr, cp); 1201 cp += 16; 1202 addr->ttl = ntohl(get_uint32(cp)); 1203 cp += 4; 1204 smartlist_add(addrs, addr); 1205 } else if (answer_type == RESOLVED_TYPE_HOSTNAME) { 1206 if (answer_len == 0) { 1207 goto err; 1208 } 1209 addr = tor_malloc_zero(sizeof(*addr)); 1210 addr->hostname = tor_memdup_nulterm(cp, answer_len); 1211 cp += answer_len; 1212 addr->ttl = ntohl(get_uint32(cp)); 1213 cp += 4; 1214 smartlist_add(addrs, addr); 1215 } else if (answer_type == RESOLVED_TYPE_ERROR_TRANSIENT || 1216 answer_type == RESOLVED_TYPE_ERROR) { 1217 errcode = answer_type; 1218 /* Ignore the error contents */ 1219 cp += answer_len + 4; 1220 } else { 1221 cp += answer_len + 4; 1222 } 1223 tor_assert(((ssize_t)remaining) >= (cp - cp_orig)); 1224 remaining -= (cp - cp_orig); 1225 } 1226 1227 if (errcode && smartlist_len(addrs) == 0) { 1228 /* Report an error only if there were no results. */ 1229 *errcode_out = errcode; 1230 } 1231 1232 smartlist_add_all(addresses_out, addrs); 1233 smartlist_free(addrs); 1234 1235 return 0; 1236 1237 err: 1238 /* On parse error, don't report any results */ 1239 SMARTLIST_FOREACH(addrs, address_ttl_t *, a, address_ttl_free(a)); 1240 smartlist_free(addrs); 1241 return -1; 1242 } 1243 1244 /** Helper for connection_edge_process_resolved_cell: given an error code, 1245 * an entry_connection, and a list of address_ttl_t *, report the best answer 1246 * to the entry_connection. */ 1247 static void 1248 connection_ap_handshake_socks_got_resolved_cell(entry_connection_t *conn, 1249 int error_code, 1250 smartlist_t *results) 1251 { 1252 address_ttl_t *addr_ipv4 = NULL; 1253 address_ttl_t *addr_ipv6 = NULL; 1254 address_ttl_t *addr_hostname = NULL; 1255 address_ttl_t *addr_best = NULL; 1256 1257 /* If it's an error code, that's easy. */ 1258 if (error_code) { 1259 tor_assert(error_code == RESOLVED_TYPE_ERROR || 1260 error_code == RESOLVED_TYPE_ERROR_TRANSIENT); 1261 connection_ap_handshake_socks_resolved(conn, 1262 error_code,0,NULL,-1,-1); 1263 return; 1264 } 1265 1266 /* Get the first answer of each type. */ 1267 SMARTLIST_FOREACH_BEGIN(results, address_ttl_t *, addr) { 1268 if (addr->hostname) { 1269 if (!addr_hostname) { 1270 addr_hostname = addr; 1271 } 1272 } else if (tor_addr_family(&addr->addr) == AF_INET) { 1273 if (!addr_ipv4 && conn->entry_cfg.ipv4_traffic) { 1274 addr_ipv4 = addr; 1275 } 1276 } else if (tor_addr_family(&addr->addr) == AF_INET6) { 1277 if (!addr_ipv6 && conn->entry_cfg.ipv6_traffic) { 1278 addr_ipv6 = addr; 1279 } 1280 } 1281 } SMARTLIST_FOREACH_END(addr); 1282 1283 /* Now figure out which type we wanted to deliver. */ 1284 if (conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) { 1285 if (addr_hostname) { 1286 connection_ap_handshake_socks_resolved(conn, 1287 RESOLVED_TYPE_HOSTNAME, 1288 strlen(addr_hostname->hostname), 1289 (uint8_t*)addr_hostname->hostname, 1290 addr_hostname->ttl,-1); 1291 } else { 1292 connection_ap_handshake_socks_resolved(conn, 1293 RESOLVED_TYPE_ERROR,0,NULL,-1,-1); 1294 } 1295 return; 1296 } 1297 1298 if (conn->entry_cfg.prefer_ipv6) { 1299 addr_best = addr_ipv6 ? addr_ipv6 : addr_ipv4; 1300 } else { 1301 addr_best = addr_ipv4 ? addr_ipv4 : addr_ipv6; 1302 } 1303 1304 /* Now convert it to the ugly old interface */ 1305 if (! addr_best) { 1306 connection_ap_handshake_socks_resolved(conn, 1307 RESOLVED_TYPE_NOERROR,0,NULL,-1,-1); 1308 return; 1309 } 1310 1311 connection_ap_handshake_socks_resolved_addr(conn, 1312 &addr_best->addr, 1313 addr_best->ttl, 1314 -1); 1315 1316 remap_event_helper(conn, &addr_best->addr); 1317 } 1318 1319 /** Handle a RELAY_COMMAND_RESOLVED cell that we received on a non-open AP 1320 * stream. */ 1321 STATIC int 1322 connection_edge_process_resolved_cell(edge_connection_t *conn, 1323 const relay_msg_t *msg) 1324 { 1325 entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn); 1326 smartlist_t *resolved_addresses = NULL; 1327 int errcode = 0; 1328 1329 if (conn->base_.state != AP_CONN_STATE_RESOLVE_WAIT) { 1330 log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got a 'resolved' cell while " 1331 "not in state resolve_wait. Dropping."); 1332 return 0; 1333 } 1334 tor_assert(SOCKS_COMMAND_IS_RESOLVE(entry_conn->socks_request->command)); 1335 1336 resolved_addresses = smartlist_new(); 1337 if (resolved_cell_parse(msg, resolved_addresses, &errcode)) { 1338 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 1339 "Dropping malformed 'resolved' cell"); 1340 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); 1341 goto done; 1342 } 1343 1344 if (get_options()->ClientDNSRejectInternalAddresses) { 1345 int orig_len = smartlist_len(resolved_addresses); 1346 SMARTLIST_FOREACH_BEGIN(resolved_addresses, address_ttl_t *, addr) { 1347 if (addr->hostname == NULL && tor_addr_is_internal(&addr->addr, 0)) { 1348 log_info(LD_APP, "Got a resolved cell with answer %s; dropping that " 1349 "answer.", 1350 safe_str_client(fmt_addr(&addr->addr))); 1351 address_ttl_free(addr); 1352 SMARTLIST_DEL_CURRENT(resolved_addresses, addr); 1353 } 1354 } SMARTLIST_FOREACH_END(addr); 1355 if (orig_len && smartlist_len(resolved_addresses) == 0) { 1356 log_info(LD_APP, "Got a resolved cell with only private addresses; " 1357 "dropping it."); 1358 connection_ap_handshake_socks_resolved(entry_conn, 1359 RESOLVED_TYPE_ERROR_TRANSIENT, 1360 0, NULL, 0, TIME_MAX); 1361 connection_mark_unattached_ap(entry_conn, 1362 END_STREAM_REASON_TORPROTOCOL); 1363 goto done; 1364 } 1365 } 1366 1367 /* This is valid data at this point. Count it */ 1368 if (conn->on_circuit && CIRCUIT_IS_ORIGIN(conn->on_circuit)) { 1369 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(conn->on_circuit), 1370 msg->length); 1371 } 1372 1373 connection_ap_handshake_socks_got_resolved_cell(entry_conn, 1374 errcode, 1375 resolved_addresses); 1376 1377 connection_mark_unattached_ap(entry_conn, 1378 END_STREAM_REASON_DONE | 1379 END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED); 1380 1381 done: 1382 SMARTLIST_FOREACH(resolved_addresses, address_ttl_t *, addr, 1383 address_ttl_free(addr)); 1384 smartlist_free(resolved_addresses); 1385 return 0; 1386 } 1387 1388 /** An incoming relay cell has arrived from circuit <b>circ</b> to 1389 * stream <b>conn</b>. 1390 * 1391 * The arguments here are the same as in 1392 * connection_edge_process_relay_cell() below; this function is called 1393 * from there when <b>conn</b> is defined and not in an open state. 1394 */ 1395 static int 1396 connection_edge_process_relay_cell_not_open( 1397 const relay_msg_t *msg, circuit_t *circ, 1398 edge_connection_t *conn, crypt_path_t *layer_hint) 1399 { 1400 if (msg->command == RELAY_COMMAND_END) { 1401 if (CIRCUIT_IS_ORIGIN(circ) && conn->base_.type == CONN_TYPE_AP) { 1402 return connection_ap_process_end_not_open(msg, 1403 TO_ORIGIN_CIRCUIT(circ), 1404 EDGE_TO_ENTRY_CONN(conn), 1405 layer_hint); 1406 } else { 1407 /* we just got an 'end', don't need to send one */ 1408 conn->edge_has_sent_end = 1; 1409 conn->end_reason = get_uint8(msg->body) | END_STREAM_REASON_FLAG_REMOTE; 1410 connection_mark_for_close(TO_CONN(conn)); 1411 return 0; 1412 } 1413 } 1414 1415 if (conn->base_.type == CONN_TYPE_AP && 1416 msg->command == RELAY_COMMAND_CONNECTED) { 1417 tor_addr_t addr; 1418 int ttl; 1419 entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn); 1420 tor_assert(CIRCUIT_IS_ORIGIN(circ)); 1421 if (conn->base_.state != AP_CONN_STATE_CONNECT_WAIT) { 1422 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1423 "Got 'connected' while not in state connect_wait. Dropping."); 1424 return 0; 1425 } 1426 CONNECTION_AP_EXPECT_NONPENDING(entry_conn); 1427 conn->base_.state = AP_CONN_STATE_OPEN; 1428 log_info(LD_APP,"'connected' received for circid %u streamid %d " 1429 "after %d seconds.", 1430 (unsigned)circ->n_circ_id, 1431 msg->stream_id, 1432 (int)(time(NULL) - conn->base_.timestamp_last_read_allowed)); 1433 if (connected_cell_parse(msg, &addr, &ttl) < 0) { 1434 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1435 "Got a badly formatted connected cell. Closing."); 1436 connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); 1437 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); 1438 return 0; 1439 } 1440 if (tor_addr_family(&addr) != AF_UNSPEC) { 1441 /* The family is not UNSPEC: so we were given an address in the 1442 * connected cell. (This is normal, except for BEGINDIR and onion 1443 * service streams.) */ 1444 const sa_family_t family = tor_addr_family(&addr); 1445 if (tor_addr_is_null(&addr) || 1446 (get_options()->ClientDNSRejectInternalAddresses && 1447 tor_addr_is_internal(&addr, 0))) { 1448 log_info(LD_APP, "...but it claims the IP address was %s. Closing.", 1449 safe_str(fmt_addr(&addr))); 1450 connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); 1451 connection_mark_unattached_ap(entry_conn, 1452 END_STREAM_REASON_TORPROTOCOL); 1453 return 0; 1454 } 1455 1456 if ((family == AF_INET && ! entry_conn->entry_cfg.ipv4_traffic) || 1457 (family == AF_INET6 && ! entry_conn->entry_cfg.ipv6_traffic)) { 1458 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1459 "Got a connected cell to %s with unsupported address family." 1460 " Closing.", safe_str(fmt_addr(&addr))); 1461 connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); 1462 connection_mark_unattached_ap(entry_conn, 1463 END_STREAM_REASON_TORPROTOCOL); 1464 return 0; 1465 } 1466 1467 client_dns_set_addressmap(entry_conn, 1468 entry_conn->socks_request->address, &addr, 1469 entry_conn->chosen_exit_name, ttl); 1470 1471 remap_event_helper(entry_conn, &addr); 1472 } 1473 circuit_log_path(LOG_INFO,LD_APP,TO_ORIGIN_CIRCUIT(circ)); 1474 /* don't send a socks reply to transparent conns */ 1475 tor_assert(entry_conn->socks_request != NULL); 1476 if (!entry_conn->socks_request->has_finished) { 1477 connection_ap_handshake_socks_reply(entry_conn, NULL, 0, 0); 1478 } 1479 1480 /* Was it a linked dir conn? If so, a dir request just started to 1481 * fetch something; this could be a bootstrap status milestone. */ 1482 log_debug(LD_APP, "considering"); 1483 if (TO_CONN(conn)->linked_conn && 1484 TO_CONN(conn)->linked_conn->type == CONN_TYPE_DIR) { 1485 connection_t *dirconn = TO_CONN(conn)->linked_conn; 1486 log_debug(LD_APP, "it is! %d", dirconn->purpose); 1487 switch (dirconn->purpose) { 1488 case DIR_PURPOSE_FETCH_CERTIFICATE: 1489 if (consensus_is_waiting_for_certs()) 1490 control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_KEYS, 0); 1491 break; 1492 case DIR_PURPOSE_FETCH_CONSENSUS: 1493 control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_STATUS, 0); 1494 break; 1495 case DIR_PURPOSE_FETCH_SERVERDESC: 1496 case DIR_PURPOSE_FETCH_MICRODESC: 1497 if (TO_DIR_CONN(dirconn)->router_purpose == ROUTER_PURPOSE_GENERAL) 1498 control_event_boot_dir(BOOTSTRAP_STATUS_LOADING_DESCRIPTORS, 1499 count_loading_descriptors_progress()); 1500 break; 1501 } 1502 } 1503 /* This is definitely a success, so forget about any pending data we 1504 * had sent. */ 1505 if (entry_conn->pending_optimistic_data) { 1506 buf_free(entry_conn->pending_optimistic_data); 1507 entry_conn->pending_optimistic_data = NULL; 1508 } 1509 1510 /* This is valid data at this point. Count it */ 1511 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1512 1513 /* handle anything that might have queued */ 1514 if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) { 1515 /* (We already sent an end cell if possible) */ 1516 connection_mark_for_close(TO_CONN(conn)); 1517 return 0; 1518 } 1519 return 0; 1520 } 1521 if (conn->base_.type == CONN_TYPE_AP && 1522 msg->command == RELAY_COMMAND_RESOLVED) { 1523 return connection_edge_process_resolved_cell(conn, msg); 1524 } 1525 1526 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 1527 "Got an unexpected relay command %d, in state %d (%s). Dropping.", 1528 msg->command, conn->base_.state, 1529 conn_state_to_string(conn->base_.type, conn->base_.state)); 1530 return 0; /* for forward compatibility, don't kill the circuit */ 1531 // connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); 1532 // connection_mark_for_close(conn); 1533 // return -1; 1534 } 1535 1536 /** Process a SENDME cell that arrived on <b>circ</b>. If it is a stream level 1537 * cell, it is destined for the given <b>conn</b>. If it is a circuit level 1538 * cell, it is destined for the <b>layer_hint</b>. The <b>domain</b> is the 1539 * logging domain that should be used. 1540 * 1541 * Return 0 if everything went well or a negative value representing a circuit 1542 * end reason on error for which the caller is responsible for closing it. */ 1543 static int 1544 process_sendme_cell(const relay_msg_t *msg, circuit_t *circ, 1545 edge_connection_t *conn, crypt_path_t *layer_hint, 1546 int domain) 1547 { 1548 int ret; 1549 1550 tor_assert(msg); 1551 1552 if (!msg->stream_id) { 1553 /* Circuit level SENDME cell. */ 1554 ret = sendme_process_circuit_level(layer_hint, circ, msg->body, 1555 msg->length); 1556 if (ret < 0) { 1557 return ret; 1558 } 1559 /* Resume reading on any streams now that we've processed a valid 1560 * SENDME cell that updated our package window. */ 1561 circuit_resume_edge_reading(circ, layer_hint); 1562 /* We are done, the rest of the code is for the stream level. */ 1563 return 0; 1564 } 1565 1566 /* No connection, might be half edge state. We are done if so. */ 1567 if (!conn) { 1568 if (CIRCUIT_IS_ORIGIN(circ)) { 1569 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1570 if (connection_half_edge_is_valid_sendme(ocirc->half_streams, 1571 msg->stream_id)) { 1572 circuit_read_valid_data(ocirc, msg->length); 1573 log_info(domain, "Sendme cell on circ %u valid on half-closed " 1574 "stream id %d", 1575 ocirc->global_identifier, msg->stream_id); 1576 } 1577 } 1578 1579 log_info(domain, "SENDME cell dropped, unknown stream (streamid %d).", 1580 msg->stream_id); 1581 return 0; 1582 } 1583 1584 /* Stream level SENDME cell. */ 1585 // TODO: Turn this off for cc_alg=1,2,3; use XON/XOFF instead 1586 ret = sendme_process_stream_level(conn, circ, msg->length); 1587 if (ret < 0) { 1588 /* Means we need to close the circuit with reason ret. */ 1589 return ret; 1590 } 1591 1592 /* We've now processed properly a SENDME cell, all windows have been 1593 * properly updated, we'll read on the edge connection to see if we can 1594 * get data out towards the end point (Exit or client) since we are now 1595 * allowed to deliver more cells. */ 1596 1597 if (circuit_queue_streams_are_blocked(circ)) { 1598 /* Still waiting for queue to flush; don't touch conn */ 1599 return 0; 1600 } 1601 connection_start_reading(TO_CONN(conn)); 1602 /* handle whatever might still be on the inbuf */ 1603 if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) { 1604 /* (We already sent an end cell if possible) */ 1605 connection_mark_for_close(TO_CONN(conn)); 1606 return 0; 1607 } 1608 return 0; 1609 } 1610 1611 /** A helper for connection_edge_process_relay_cell(): Actually handles the 1612 * cell that we received on the connection. 1613 * 1614 * The arguments are the same as in the parent function 1615 * connection_edge_process_relay_cell(), plus the relay header <b>rh</b> as 1616 * unpacked by the parent function, and <b>optimistic_data</b> as set by the 1617 * parent function. 1618 */ 1619 STATIC int 1620 handle_relay_msg(const relay_msg_t *msg, circuit_t *circ, 1621 edge_connection_t *conn, crypt_path_t *layer_hint, 1622 int optimistic_data) 1623 { 1624 unsigned domain = layer_hint?LD_APP:LD_EXIT; 1625 int reason; 1626 1627 tor_assert(msg); 1628 1629 /* First pass the cell to the circuit padding subsystem, in case it's a 1630 * padding cell or circuit that should be handled there. */ 1631 if (circpad_check_received_cell(msg, circ, layer_hint) == 0) { 1632 log_debug(domain, "Cell handled as circuit padding"); 1633 return 0; 1634 } 1635 1636 /* Now handle all the other commands */ 1637 switch (msg->command) { 1638 case RELAY_COMMAND_CONFLUX_LINK: 1639 conflux_process_link(circ, msg); 1640 return 0; 1641 case RELAY_COMMAND_CONFLUX_LINKED: 1642 conflux_process_linked(circ, layer_hint, msg); 1643 return 0; 1644 case RELAY_COMMAND_CONFLUX_LINKED_ACK: 1645 conflux_process_linked_ack(circ); 1646 return 0; 1647 case RELAY_COMMAND_CONFLUX_SWITCH: 1648 return conflux_process_switch_command(circ, layer_hint, msg); 1649 case RELAY_COMMAND_BEGIN: 1650 case RELAY_COMMAND_BEGIN_DIR: 1651 if (layer_hint && 1652 circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { 1653 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1654 "Relay begin request unsupported at AP. Dropping."); 1655 return 0; 1656 } 1657 if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED && 1658 layer_hint != TO_ORIGIN_CIRCUIT(circ)->cpath->prev) { 1659 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1660 "Relay begin request to Hidden Service " 1661 "from intermediary node. Dropping."); 1662 return 0; 1663 } 1664 if (conn) { 1665 log_fn(LOG_PROTOCOL_WARN, domain, 1666 "Begin cell for known stream. Dropping."); 1667 return 0; 1668 } 1669 if (msg->command == RELAY_COMMAND_BEGIN_DIR && 1670 circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { 1671 /* Assign this circuit and its app-ward OR connection a unique ID, 1672 * so that we can measure download times. The local edge and dir 1673 * connection will be assigned the same ID when they are created 1674 * and linked. */ 1675 static uint64_t next_id = 0; 1676 circ->dirreq_id = ++next_id; 1677 TO_OR_CIRCUIT(circ)->p_chan->dirreq_id = circ->dirreq_id; 1678 } 1679 return connection_exit_begin_conn(msg, circ); 1680 case RELAY_COMMAND_DATA: 1681 ++stats_n_data_cells_received; 1682 1683 if (msg->stream_id == 0) { 1684 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay data cell with zero " 1685 "stream_id. Dropping."); 1686 return 0; 1687 } else if (!conn) { 1688 if (CIRCUIT_IS_ORIGIN(circ)) { 1689 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1690 if (connection_half_edge_is_valid_data(ocirc->half_streams, 1691 msg->stream_id)) { 1692 circuit_read_valid_data(ocirc, msg->length); 1693 log_info(domain, 1694 "data cell on circ %u valid on half-closed " 1695 "stream id %d", ocirc->global_identifier, msg->stream_id); 1696 } 1697 } 1698 1699 log_info(domain,"data cell dropped, unknown stream (streamid %d).", 1700 msg->stream_id); 1701 return 0; 1702 } 1703 1704 /* Update our stream-level deliver window that we just received a DATA 1705 * cell. Going below 0 means we have a protocol level error so the 1706 * stream and circuit are closed. */ 1707 if (sendme_stream_data_received(conn) < 0) { 1708 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 1709 "(relay data) conn deliver_window below 0. Killing."); 1710 connection_edge_end_close(conn, END_STREAM_REASON_TORPROTOCOL); 1711 return -END_CIRC_REASON_TORPROTOCOL; 1712 } 1713 /* Total all valid application bytes delivered */ 1714 if (CIRCUIT_IS_ORIGIN(circ) && msg->length > 0) { 1715 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1716 } 1717 1718 /* For onion service connection, update the metrics. */ 1719 if (conn->hs_ident) { 1720 hs_metrics_app_write_bytes(&conn->hs_ident->identity_pk, 1721 conn->hs_ident->orig_virtual_port, 1722 msg->length); 1723 } 1724 1725 stats_n_data_bytes_received += msg->length; 1726 connection_buf_add((char*) msg->body, msg->length, TO_CONN(conn)); 1727 1728 #ifdef MEASUREMENTS_21206 1729 /* Count number of RELAY_DATA cells received on a linked directory 1730 * connection. */ 1731 connection_t *linked_conn = TO_CONN(conn)->linked_conn; 1732 1733 if (linked_conn && linked_conn->type == CONN_TYPE_DIR) { 1734 ++(TO_DIR_CONN(linked_conn)->data_cells_received); 1735 } 1736 #endif /* defined(MEASUREMENTS_21206) */ 1737 1738 if (!optimistic_data) { 1739 /* Only send a SENDME if we're not getting optimistic data; otherwise 1740 * a SENDME could arrive before the CONNECTED. 1741 */ 1742 sendme_connection_edge_consider_sending(conn); 1743 } 1744 1745 return 0; 1746 case RELAY_COMMAND_XOFF: 1747 if (!conn) { 1748 if (CIRCUIT_IS_ORIGIN(circ)) { 1749 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1750 if (relay_crypt_from_last_hop(ocirc, layer_hint) && 1751 connection_half_edge_is_valid_data(ocirc->half_streams, 1752 msg->stream_id)) { 1753 circuit_read_valid_data(ocirc, msg->length); 1754 } 1755 } 1756 return 0; 1757 } 1758 1759 if (circuit_process_stream_xoff(conn, layer_hint)) { 1760 if (CIRCUIT_IS_ORIGIN(circ)) { 1761 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1762 } 1763 } 1764 return 0; 1765 case RELAY_COMMAND_XON: 1766 if (!conn) { 1767 if (CIRCUIT_IS_ORIGIN(circ)) { 1768 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1769 if (relay_crypt_from_last_hop(ocirc, layer_hint) && 1770 connection_half_edge_is_valid_data(ocirc->half_streams, 1771 msg->stream_id)) { 1772 circuit_read_valid_data(ocirc, msg->length); 1773 } 1774 } 1775 return 0; 1776 } 1777 1778 if (circuit_process_stream_xon(conn, layer_hint, msg)) { 1779 if (CIRCUIT_IS_ORIGIN(circ)) { 1780 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1781 } 1782 } 1783 return 0; 1784 case RELAY_COMMAND_END: 1785 reason = msg->length > 0 ? get_uint8(msg->body) : END_STREAM_REASON_MISC; 1786 if (!conn) { 1787 if (CIRCUIT_IS_ORIGIN(circ)) { 1788 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1789 if (relay_crypt_from_last_hop(ocirc, layer_hint) && 1790 connection_half_edge_is_valid_end(ocirc->half_streams, 1791 msg->stream_id)) { 1792 1793 circuit_read_valid_data(ocirc, msg->length); 1794 log_info(domain, 1795 "end cell (%s) on circ %u valid on half-closed " 1796 "stream id %d", 1797 stream_end_reason_to_string(reason), 1798 ocirc->global_identifier, msg->stream_id); 1799 return 0; 1800 } 1801 } 1802 log_info(domain,"end cell (%s) dropped, unknown stream.", 1803 stream_end_reason_to_string(reason)); 1804 return 0; 1805 } 1806 /* XXX add to this log_fn the exit node's nickname? */ 1807 log_info(domain,TOR_SOCKET_T_FORMAT": end cell (%s) for stream %d. " 1808 "Removing stream.", 1809 conn->base_.s, 1810 stream_end_reason_to_string(reason), 1811 conn->stream_id); 1812 if (conn->base_.type == CONN_TYPE_AP) { 1813 entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn); 1814 if (entry_conn->socks_request && 1815 !entry_conn->socks_request->has_finished) 1816 log_warn(LD_BUG, 1817 "open stream hasn't sent socks answer yet? Closing."); 1818 } 1819 /* We just *got* an end; no reason to send one. */ 1820 conn->edge_has_sent_end = 1; 1821 if (!conn->end_reason) 1822 conn->end_reason = reason | END_STREAM_REASON_FLAG_REMOTE; 1823 if (!conn->base_.marked_for_close) { 1824 /* only mark it if not already marked. it's possible to 1825 * get the 'end' right around when the client hangs up on us. */ 1826 connection_mark_and_flush(TO_CONN(conn)); 1827 1828 /* Total all valid application bytes delivered */ 1829 if (CIRCUIT_IS_ORIGIN(circ)) { 1830 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1831 } 1832 } 1833 return 0; 1834 case RELAY_COMMAND_EXTEND: 1835 case RELAY_COMMAND_EXTEND2: { 1836 static uint64_t total_n_extend=0, total_nonearly=0; 1837 total_n_extend++; 1838 if (msg->stream_id) { 1839 log_fn(LOG_PROTOCOL_WARN, domain, 1840 "'extend' cell received for non-zero stream. Dropping."); 1841 return 0; 1842 } 1843 if (!msg->is_relay_early && 1844 !networkstatus_get_param(NULL,"AllowNonearlyExtend",0,0,1)) { 1845 #define EARLY_WARNING_INTERVAL 3600 1846 static ratelim_t early_warning_limit = 1847 RATELIM_INIT(EARLY_WARNING_INTERVAL); 1848 char *m; 1849 if (!msg->is_relay_early) { 1850 ++total_nonearly; 1851 if ((m = rate_limit_log(&early_warning_limit, approx_time()))) { 1852 double percentage = ((double)total_nonearly)/total_n_extend; 1853 percentage *= 100; 1854 log_fn(LOG_PROTOCOL_WARN, domain, "EXTEND cell received, " 1855 "but not via RELAY_EARLY. Dropping.%s", m); 1856 log_fn(LOG_PROTOCOL_WARN, domain, " (We have dropped %.02f%% of " 1857 "all EXTEND cells for this reason)", percentage); 1858 tor_free(m); 1859 } 1860 } else { 1861 log_fn(LOG_WARN, domain, 1862 "EXTEND cell received, in a cell with type %d! Dropping.", 1863 msg->command); 1864 } 1865 return 0; 1866 } 1867 return circuit_extend(msg, circ); 1868 } 1869 case RELAY_COMMAND_EXTENDED: 1870 case RELAY_COMMAND_EXTENDED2: 1871 if (!layer_hint) { 1872 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 1873 "'extended' unsupported at non-origin. Dropping."); 1874 return 0; 1875 } 1876 log_debug(domain,"Got an extended cell! Yay."); 1877 { 1878 extended_cell_t extended_cell; 1879 if (extended_cell_parse(&extended_cell, msg->command, 1880 msg->body, msg->length) < 0) { 1881 log_warn(LD_PROTOCOL, 1882 "Can't parse EXTENDED cell; killing circuit."); 1883 return -END_CIRC_REASON_TORPROTOCOL; 1884 } 1885 if ((reason = circuit_finish_handshake(TO_ORIGIN_CIRCUIT(circ), 1886 &extended_cell.created_cell)) < 0) { 1887 circuit_mark_for_close(circ, -reason); 1888 return 0; /* We don't want to cause a warning, so we mark the circuit 1889 * here. */ 1890 } 1891 } 1892 if ((reason=circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ)))<0) { 1893 log_info(domain,"circuit_send_next_onion_skin() failed."); 1894 return reason; 1895 } 1896 /* Total all valid bytes delivered. */ 1897 if (CIRCUIT_IS_ORIGIN(circ)) { 1898 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1899 } 1900 return 0; 1901 case RELAY_COMMAND_TRUNCATE: 1902 if (layer_hint) { 1903 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1904 "'truncate' unsupported at origin. Dropping."); 1905 return 0; 1906 } 1907 if (circ->n_hop) { 1908 if (circ->n_chan) 1909 log_warn(LD_BUG, "n_chan and n_hop set on the same circuit!"); 1910 extend_info_free(circ->n_hop); 1911 circ->n_hop = NULL; 1912 tor_free(circ->n_chan_create_cell); 1913 circuit_set_state(circ, CIRCUIT_STATE_OPEN); 1914 } 1915 if (circ->n_chan) { 1916 uint8_t trunc_reason = get_uint8(msg->body); 1917 circuit_synchronize_written_or_bandwidth(circ, CIRCUIT_N_CHAN); 1918 circuit_clear_cell_queue(circ, circ->n_chan); 1919 channel_send_destroy(circ->n_circ_id, circ->n_chan, 1920 trunc_reason); 1921 circuit_set_n_circid_chan(circ, 0, NULL); 1922 } 1923 log_debug(LD_EXIT, "Processed 'truncate', replying."); 1924 { 1925 char payload[1]; 1926 payload[0] = (char)END_CIRC_REASON_REQUESTED; 1927 relay_send_command_from_edge(0, circ, RELAY_COMMAND_TRUNCATED, 1928 payload, sizeof(payload), NULL); 1929 } 1930 return 0; 1931 case RELAY_COMMAND_TRUNCATED: 1932 if (!layer_hint) { 1933 log_fn(LOG_PROTOCOL_WARN, LD_EXIT, 1934 "'truncated' unsupported at non-origin. Dropping."); 1935 return 0; 1936 } 1937 1938 /* Count the truncated as valid, for completeness. The 1939 * circuit is being torn down anyway, though. */ 1940 if (CIRCUIT_IS_ORIGIN(circ)) { 1941 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), msg->length); 1942 } 1943 circuit_truncated(TO_ORIGIN_CIRCUIT(circ), get_uint8(msg->body)); 1944 return 0; 1945 case RELAY_COMMAND_CONNECTED: 1946 if (conn) { 1947 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 1948 "'connected' unsupported while open. Closing circ."); 1949 return -END_CIRC_REASON_TORPROTOCOL; 1950 } 1951 1952 if (CIRCUIT_IS_ORIGIN(circ)) { 1953 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1954 if (connection_half_edge_is_valid_connected(ocirc->half_streams, 1955 msg->stream_id)) { 1956 circuit_read_valid_data(ocirc, msg->length); 1957 log_info(domain, 1958 "connected cell on circ %u valid on half-closed " 1959 "stream id %d", ocirc->global_identifier, msg->stream_id); 1960 return 0; 1961 } 1962 } 1963 1964 log_info(domain, 1965 "'connected' received on circid %u for streamid %d, " 1966 "no conn attached anymore. Ignoring.", 1967 (unsigned)circ->n_circ_id, msg->stream_id); 1968 return 0; 1969 case RELAY_COMMAND_SENDME: 1970 return process_sendme_cell(msg, circ, conn, layer_hint, domain); 1971 case RELAY_COMMAND_RESOLVE: 1972 if (layer_hint) { 1973 log_fn(LOG_PROTOCOL_WARN, LD_APP, 1974 "resolve request unsupported at AP; dropping."); 1975 return 0; 1976 } else if (conn) { 1977 log_fn(LOG_PROTOCOL_WARN, domain, 1978 "resolve request for known stream; dropping."); 1979 return 0; 1980 } else if (circ->purpose != CIRCUIT_PURPOSE_OR) { 1981 log_fn(LOG_PROTOCOL_WARN, domain, 1982 "resolve request on circ with purpose %d; dropping", 1983 circ->purpose); 1984 return 0; 1985 } 1986 return connection_exit_begin_resolve(msg, TO_OR_CIRCUIT(circ)); 1987 case RELAY_COMMAND_RESOLVED: 1988 if (conn) { 1989 log_fn(LOG_PROTOCOL_WARN, domain, 1990 "'resolved' unsupported while open. Closing circ."); 1991 return -END_CIRC_REASON_TORPROTOCOL; 1992 } 1993 1994 if (CIRCUIT_IS_ORIGIN(circ)) { 1995 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); 1996 if (relay_crypt_from_last_hop(ocirc, layer_hint) && 1997 connection_half_edge_is_valid_resolved(ocirc->half_streams, 1998 msg->stream_id)) { 1999 circuit_read_valid_data(ocirc, msg->length); 2000 log_info(domain, 2001 "resolved cell on circ %u valid on half-closed " 2002 "stream id %d", ocirc->global_identifier, msg->stream_id); 2003 return 0; 2004 } 2005 } 2006 2007 log_info(domain, 2008 "'resolved' received, no conn attached anymore. Ignoring."); 2009 return 0; 2010 case RELAY_COMMAND_ESTABLISH_INTRO: 2011 case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: 2012 case RELAY_COMMAND_INTRODUCE1: 2013 case RELAY_COMMAND_INTRODUCE2: 2014 case RELAY_COMMAND_INTRODUCE_ACK: 2015 case RELAY_COMMAND_RENDEZVOUS1: 2016 case RELAY_COMMAND_RENDEZVOUS2: 2017 case RELAY_COMMAND_INTRO_ESTABLISHED: 2018 case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED: 2019 rend_process_relay_cell(circ, layer_hint, 2020 msg->command, msg->length, msg->body); 2021 return 0; 2022 } 2023 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 2024 "Received unknown relay command %d. Perhaps the other side is using " 2025 "a newer version of Tor? Dropping.", 2026 msg->command); 2027 return 0; /* for forward compatibility, don't kill the circuit */ 2028 } 2029 2030 /** An incoming relay cell has arrived on circuit <b>circ</b>. If 2031 * <b>conn</b> is NULL this is a control cell, else <b>cell</b> is 2032 * destined for <b>conn</b>. 2033 * 2034 * If <b>layer_hint</b> is defined, then we're the origin of the 2035 * circuit, and it specifies the hop that packaged <b>cell</b>. 2036 * 2037 * Return -reason if you want to warn and tear down the circuit, else 0. 2038 */ 2039 STATIC int 2040 connection_edge_process_relay_cell(const relay_msg_t *msg, circuit_t *circ, 2041 edge_connection_t *conn, 2042 crypt_path_t *layer_hint) 2043 { 2044 static int num_seen=0; 2045 unsigned domain = layer_hint?LD_APP:LD_EXIT; 2046 2047 tor_assert(msg); 2048 tor_assert(circ); 2049 2050 // log_fn(LOG_DEBUG,"command %d stream %d", rh.command, rh.stream_id); 2051 num_seen++; 2052 log_debug(domain, "Now seen %d relay cells here (command %d, stream %d).", 2053 num_seen, msg->command, msg->stream_id); 2054 2055 if (msg->stream_id == 0) { 2056 switch (msg->command) { 2057 case RELAY_COMMAND_BEGIN: 2058 case RELAY_COMMAND_CONNECTED: 2059 case RELAY_COMMAND_END: 2060 case RELAY_COMMAND_RESOLVE: 2061 case RELAY_COMMAND_RESOLVED: 2062 case RELAY_COMMAND_BEGIN_DIR: 2063 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %u with zero " 2064 "stream_id. Dropping.", msg->command); 2065 return 0; 2066 default: 2067 ; 2068 } 2069 } 2070 2071 /* Regardless of conflux or not, we always decide to send a SENDME 2072 * for RELAY_DATA immediately 2073 */ 2074 if (msg->command == RELAY_COMMAND_DATA) { 2075 /* Update our circuit-level deliver window that we received a DATA cell. 2076 * If the deliver window goes below 0, we end the circuit and stream due 2077 * to a protocol failure. */ 2078 if (sendme_circuit_data_received(circ, layer_hint) < 0) { 2079 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 2080 "(relay data) circ deliver_window below 0. Killing."); 2081 connection_edge_end_close(conn, END_STREAM_REASON_TORPROTOCOL); 2082 return -END_CIRC_REASON_TORPROTOCOL; 2083 } 2084 2085 /* Consider sending a circuit-level SENDME cell. */ 2086 sendme_circuit_consider_sending(circ, layer_hint); 2087 2088 /* Continue on to process the data cell via conflux or not */ 2089 } 2090 2091 /* Conflux handling: If conflux is disabled, or the relay command is not 2092 * multiplexed across circuits, then process it immediately. 2093 * 2094 * Otherwise, we need to process the relay cell against our conflux 2095 * queues, and if doing so results in ordered cells to deliver, we 2096 * dequeue and process those in-order until there are no more. 2097 */ 2098 if (!circ->conflux || !conflux_should_multiplex(msg->command)) { 2099 return connection_edge_process_ordered_relay_cell(msg, circ, conn, 2100 layer_hint); 2101 } else { 2102 // If conflux says this cell is in-order, then begin processing 2103 // cells from queue until there are none. Otherwise, we do nothing 2104 // until further cells arrive. 2105 if (conflux_process_relay_msg(circ->conflux, circ, layer_hint, 2106 (relay_msg_t *) msg)) { 2107 conflux_msg_t *c_msg = NULL; 2108 2109 /* First, process this cell */ 2110 int ret = connection_edge_process_ordered_relay_cell( 2111 msg, circ, conn, layer_hint); 2112 if (ret < 0) { 2113 return ret; 2114 } 2115 2116 /* Now, check queue for more */ 2117 while ((c_msg = conflux_dequeue_relay_msg(circ))) { 2118 conn = relay_lookup_conn(circ, c_msg->msg, CELL_DIRECTION_OUT, 2119 layer_hint); 2120 ret = connection_edge_process_ordered_relay_cell(c_msg->msg, circ, 2121 conn, 2122 layer_hint); 2123 if (ret < 0) { 2124 /* Negative return value is a fatal error. Return early and tear down 2125 * circuit */ 2126 conflux_relay_msg_free(c_msg); 2127 return ret; 2128 } 2129 conflux_relay_msg_free(c_msg); 2130 } 2131 } 2132 } 2133 2134 return 0; 2135 } 2136 2137 /** 2138 * Helper function to process a relay cell that is in the proper order 2139 * for processing right now. */ 2140 static int 2141 connection_edge_process_ordered_relay_cell(const relay_msg_t *msg, 2142 circuit_t *circ, 2143 edge_connection_t *conn, 2144 crypt_path_t *layer_hint) 2145 { 2146 int optimistic_data = 0; /* Set to 1 if we receive data on a stream 2147 * that's in the EXIT_CONN_STATE_RESOLVING 2148 * or EXIT_CONN_STATE_CONNECTING states. */ 2149 2150 /* Tell circpad that we've received a recognized cell */ 2151 circpad_deliver_recognized_relay_cell_events(circ, msg->command, layer_hint); 2152 2153 /* either conn is NULL, in which case we've got a control cell, or else 2154 * conn points to the recognized stream. */ 2155 if (conn && !connection_state_is_open(TO_CONN(conn))) { 2156 if (conn->base_.type == CONN_TYPE_EXIT && 2157 (conn->base_.state == EXIT_CONN_STATE_CONNECTING || 2158 conn->base_.state == EXIT_CONN_STATE_RESOLVING) && 2159 msg->command == RELAY_COMMAND_DATA) { 2160 /* Allow DATA cells to be delivered to an exit node in state 2161 * EXIT_CONN_STATE_CONNECTING or EXIT_CONN_STATE_RESOLVING. 2162 * This speeds up HTTP, for example. */ 2163 optimistic_data = 1; 2164 } else if (msg->stream_id == 0 && msg->command == RELAY_COMMAND_DATA) { 2165 log_warn(LD_BUG, "Somehow I had a connection that matched a " 2166 "data cell with stream ID 0."); 2167 } else { 2168 return connection_edge_process_relay_cell_not_open( 2169 msg, circ, conn, layer_hint); 2170 } 2171 } 2172 2173 return handle_relay_msg(msg, circ, conn, layer_hint, optimistic_data); 2174 } 2175 2176 /** How many relay_data cells have we built, ever? */ 2177 uint64_t stats_n_data_cells_packaged = 0; 2178 /** How many bytes of data have we put in relay_data cells have we built, 2179 * ever? This would be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if 2180 * every relay cell we ever sent were completely full of data. */ 2181 uint64_t stats_n_data_bytes_packaged = 0; 2182 /** How many relay_data cells have we received, ever? */ 2183 uint64_t stats_n_data_cells_received = 0; 2184 /** How many bytes of data have we received relay_data cells, ever? This would 2185 * be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if every relay cell we 2186 * ever received were completely full of data. */ 2187 uint64_t stats_n_data_bytes_received = 0; 2188 2189 /** 2190 * Called when initializing a circuit, or when we have reached the end of the 2191 * window in which we need to send some randomness so that incoming sendme 2192 * cells will be unpredictable. Resets the flags and picks a new window. 2193 */ 2194 void 2195 circuit_reset_sendme_randomness(circuit_t *circ) 2196 { 2197 circ->have_sent_sufficiently_random_cell = 0; 2198 // XXX: do we need to change this check for congestion control? 2199 circ->send_randomness_after_n_cells = CIRCWINDOW_INCREMENT / 2 + 2200 crypto_fast_rng_get_uint(get_thread_fast_rng(), CIRCWINDOW_INCREMENT / 2); 2201 } 2202 2203 /** 2204 * Helper. Return the number of bytes that should be put into a cell from a 2205 * given edge connection on which <b>n_available</b> bytes are available. 2206 */ 2207 STATIC size_t 2208 connection_edge_get_inbuf_bytes_to_package(size_t n_available, 2209 int package_partial, 2210 circuit_t *on_circuit, 2211 crypt_path_t *cpath) 2212 { 2213 if (!n_available) 2214 return 0; 2215 2216 /* Do we need to force this payload to have space for randomness? */ 2217 const bool force_random_bytes = 2218 (on_circuit->send_randomness_after_n_cells == 0) && 2219 (! on_circuit->have_sent_sufficiently_random_cell); 2220 2221 relay_cell_fmt_t cell_format = circuit_get_relay_format(on_circuit, cpath); 2222 size_t target_length = 2223 relay_cell_max_payload_size(cell_format, RELAY_COMMAND_DATA); 2224 2225 #define RELAY_CELL_PADDING_GAP 4 2226 2227 /* Any relay data payload containing fewer than this many real bytes is 2228 * considered to have enough randomness to. */ 2229 size_t target_length_with_random = target_length - 2230 RELAY_CELL_PADDING_GAP - 16; 2231 if (force_random_bytes) { 2232 target_length = target_length_with_random; 2233 } 2234 2235 /* Decide how many bytes we will actually put into this cell. */ 2236 size_t package_length; 2237 if (n_available >= target_length) { /* A full payload is available. */ 2238 package_length = target_length; 2239 } else { /* not a full payload available */ 2240 if (package_partial) 2241 package_length = n_available; /* just take whatever's available now */ 2242 else 2243 return 0; /* nothing to do until we have a full payload */ 2244 } 2245 2246 /* If we reach this point, we will be definitely sending the cell. */ 2247 tor_assert_nonfatal(package_length > 0); 2248 2249 if (package_length <= target_length_with_random) { 2250 /* This cell will have enough randomness in the padding to make a future 2251 * sendme cell unpredictable. */ 2252 on_circuit->have_sent_sufficiently_random_cell = 1; 2253 } 2254 2255 if (on_circuit->send_randomness_after_n_cells == 0) { 2256 /* Either this cell, or some previous cell, had enough padding to 2257 * ensure sendme unpredictability. */ 2258 tor_assert_nonfatal(on_circuit->have_sent_sufficiently_random_cell); 2259 /* Pick a new interval in which we need to send randomness. */ 2260 circuit_reset_sendme_randomness(on_circuit); 2261 } 2262 2263 --on_circuit->send_randomness_after_n_cells; 2264 2265 return package_length; 2266 } 2267 2268 /** If <b>conn</b> has an entire relay payload of bytes on its inbuf (or 2269 * <b>package_partial</b> is true), and the appropriate package windows aren't 2270 * empty, grab a cell and send it down the circuit. 2271 * 2272 * If *<b>max_cells</b> is given, package no more than max_cells. Decrement 2273 * *<b>max_cells</b> by the number of cells packaged. 2274 * 2275 * Return -1 (and send a RELAY_COMMAND_END cell if necessary) if conn should 2276 * be marked for close, else return 0. 2277 */ 2278 int 2279 connection_edge_package_raw_inbuf(edge_connection_t *conn, int package_partial, 2280 int *max_cells) 2281 { 2282 size_t bytes_to_process, length; 2283 char payload[CELL_PAYLOAD_SIZE]; 2284 circuit_t *circ; 2285 const unsigned domain = conn->base_.type == CONN_TYPE_AP ? LD_APP : LD_EXIT; 2286 int sending_from_optimistic = 0; 2287 entry_connection_t *entry_conn = 2288 conn->base_.type == CONN_TYPE_AP ? EDGE_TO_ENTRY_CONN(conn) : NULL; 2289 const int sending_optimistically = 2290 entry_conn && 2291 conn->base_.type == CONN_TYPE_AP && 2292 conn->base_.state != AP_CONN_STATE_OPEN; 2293 crypt_path_t *cpath_layer = conn->cpath_layer; 2294 2295 tor_assert(conn); 2296 2297 if (BUG(conn->base_.marked_for_close)) { 2298 log_warn(LD_BUG, 2299 "called on conn that's already marked for close at %s:%d.", 2300 conn->base_.marked_for_close_file, conn->base_.marked_for_close); 2301 return 0; 2302 } 2303 2304 if (max_cells && *max_cells <= 0) 2305 return 0; 2306 2307 repeat_connection_edge_package_raw_inbuf: 2308 2309 circ = circuit_get_by_edge_conn(conn); 2310 if (!circ) { 2311 log_info(domain,"conn has no circuit! Closing."); 2312 conn->end_reason = END_STREAM_REASON_CANT_ATTACH; 2313 return -1; 2314 } 2315 2316 if (circuit_consider_stop_edge_reading(circ, cpath_layer)) 2317 return 0; 2318 2319 if (conn->package_window <= 0) { 2320 log_info(domain,"called with package_window %d. Skipping.", 2321 conn->package_window); 2322 connection_stop_reading(TO_CONN(conn)); 2323 return 0; 2324 } 2325 2326 sending_from_optimistic = entry_conn && 2327 entry_conn->sending_optimistic_data != NULL; 2328 2329 if (PREDICT_UNLIKELY(sending_from_optimistic)) { 2330 bytes_to_process = buf_datalen(entry_conn->sending_optimistic_data); 2331 if (PREDICT_UNLIKELY(!bytes_to_process)) { 2332 log_warn(LD_BUG, "sending_optimistic_data was non-NULL but empty"); 2333 bytes_to_process = connection_get_inbuf_len(TO_CONN(conn)); 2334 sending_from_optimistic = 0; 2335 } 2336 } else { 2337 bytes_to_process = connection_get_inbuf_len(TO_CONN(conn)); 2338 } 2339 2340 length = connection_edge_get_inbuf_bytes_to_package(bytes_to_process, 2341 package_partial, circ, 2342 cpath_layer); 2343 if (!length) 2344 return 0; 2345 2346 /* If we reach this point, we will definitely be packaging bytes into 2347 * a cell. */ 2348 2349 stats_n_data_bytes_packaged += length; 2350 stats_n_data_cells_packaged += 1; 2351 2352 if (PREDICT_UNLIKELY(sending_from_optimistic)) { 2353 /* XXXX We could be more efficient here by sometimes packing 2354 * previously-sent optimistic data in the same cell with data 2355 * from the inbuf. */ 2356 buf_get_bytes(entry_conn->sending_optimistic_data, payload, length); 2357 if (!buf_datalen(entry_conn->sending_optimistic_data)) { 2358 buf_free(entry_conn->sending_optimistic_data); 2359 entry_conn->sending_optimistic_data = NULL; 2360 } 2361 } else { 2362 connection_buf_get_bytes(payload, length, TO_CONN(conn)); 2363 } 2364 2365 log_debug(domain,TOR_SOCKET_T_FORMAT": Packaging %d bytes (%d waiting).", 2366 conn->base_.s, 2367 (int)length, (int)connection_get_inbuf_len(TO_CONN(conn))); 2368 2369 if (sending_optimistically && !sending_from_optimistic) { 2370 /* This is new optimistic data; remember it in case we need to detach and 2371 retry */ 2372 if (!entry_conn->pending_optimistic_data) 2373 entry_conn->pending_optimistic_data = buf_new(); 2374 buf_add(entry_conn->pending_optimistic_data, payload, length); 2375 } 2376 2377 /* Send a data cell. This handles the circuit package window. */ 2378 if (connection_edge_send_command(conn, RELAY_COMMAND_DATA, 2379 payload, length) < 0 ) { 2380 /* circuit got marked for close, don't continue, don't need to mark conn */ 2381 return 0; 2382 } 2383 2384 /* Handle the stream-level SENDME package window. */ 2385 if (sendme_note_stream_data_packaged(conn, length) < 0) { 2386 connection_stop_reading(TO_CONN(conn)); 2387 log_debug(domain,"conn->package_window reached 0."); 2388 circuit_consider_stop_edge_reading(circ, cpath_layer); 2389 return 0; /* don't process the inbuf any more */ 2390 } 2391 log_debug(domain,"conn->package_window is now %d",conn->package_window); 2392 2393 if (max_cells) { 2394 *max_cells -= 1; 2395 if (*max_cells <= 0) 2396 return 0; 2397 } 2398 2399 /* handle more if there's more, or return 0 if there isn't */ 2400 goto repeat_connection_edge_package_raw_inbuf; 2401 } 2402 2403 /** The circuit <b>circ</b> has received a circuit-level sendme 2404 * (on hop <b>layer_hint</b>, if we're the OP). Go through all the 2405 * attached streams and let them resume reading and packaging, if 2406 * their stream windows allow it. 2407 */ 2408 static void 2409 circuit_resume_edge_reading(circuit_t *circ, crypt_path_t *layer_hint) 2410 { 2411 if (circuit_queue_streams_are_blocked(circ)) { 2412 log_debug(layer_hint?LD_APP:LD_EXIT,"Too big queue, no resuming"); 2413 return; 2414 } 2415 2416 /* If we have a conflux negotiated, and it still can't send on 2417 * any circuit, then do not resume sending. */ 2418 if (circ->conflux && !conflux_can_send(circ->conflux)) { 2419 log_debug(layer_hint?LD_APP:LD_EXIT, 2420 "Conflux can't send, not resuming edges"); 2421 return; 2422 } 2423 2424 log_debug(layer_hint?LD_APP:LD_EXIT,"resuming"); 2425 2426 if (CIRCUIT_IS_ORIGIN(circ)) 2427 circuit_resume_edge_reading_helper(TO_ORIGIN_CIRCUIT(circ)->p_streams, 2428 circ, layer_hint); 2429 else 2430 circuit_resume_edge_reading_helper(TO_OR_CIRCUIT(circ)->n_streams, 2431 circ, layer_hint); 2432 } 2433 2434 /** A helper function for circuit_resume_edge_reading() above. 2435 * The arguments are the same, except that <b>conn</b> is the head 2436 * of a linked list of edge streams that should each be considered. 2437 */ 2438 static int 2439 circuit_resume_edge_reading_helper(edge_connection_t *first_conn, 2440 circuit_t *circ, 2441 crypt_path_t *layer_hint) 2442 { 2443 edge_connection_t *conn; 2444 int n_packaging_streams, n_streams_left; 2445 int packaged_this_round; 2446 int cells_on_queue; 2447 int cells_per_conn; 2448 edge_connection_t *chosen_stream = NULL; 2449 int max_to_package; 2450 2451 if (first_conn == NULL) { 2452 /* Don't bother to try to do the rest of this if there are no connections 2453 * to resume. */ 2454 return 0; 2455 } 2456 2457 /* Once we used to start listening on the streams in the order they 2458 * appeared in the linked list. That leads to starvation on the 2459 * streams that appeared later on the list, since the first streams 2460 * would always get to read first. Instead, we just pick a random 2461 * stream on the list, and enable reading for streams starting at that 2462 * point (and wrapping around as if the list were circular). It would 2463 * probably be better to actually remember which streams we've 2464 * serviced in the past, but this is simple and effective. */ 2465 2466 /* Select a stream uniformly at random from the linked list. We 2467 * don't need cryptographic randomness here. */ 2468 { 2469 int num_streams = 0; 2470 for (conn = first_conn; conn; conn = conn->next_stream) { 2471 num_streams++; 2472 2473 if (crypto_fast_rng_one_in_n(get_thread_fast_rng(), num_streams)) { 2474 chosen_stream = conn; 2475 } 2476 /* Invariant: chosen_stream has been chosen uniformly at random from 2477 * among the first num_streams streams on first_conn. 2478 * 2479 * (Note that we iterate over every stream on the circuit, so that after 2480 * we've considered the first stream, we've chosen it with P=1; and 2481 * after we consider the second stream, we've switched to it with P=1/2 2482 * and stayed with the first stream with P=1/2; and after we've 2483 * considered the third stream, we've switched to it with P=1/3 and 2484 * remained with one of the first two streams with P=(2/3), giving each 2485 * one P=(1/2)(2/3) )=(1/3).) */ 2486 } 2487 } 2488 2489 /* Count how many non-marked streams there are that have anything on 2490 * their inbuf, and enable reading on all of the connections. */ 2491 n_packaging_streams = 0; 2492 /* Activate reading starting from the chosen stream */ 2493 for (conn=chosen_stream; conn; conn = conn->next_stream) { 2494 /* Start reading for the streams starting from here */ 2495 if (conn->base_.marked_for_close || conn->package_window <= 0) 2496 continue; 2497 2498 if (edge_uses_cpath(conn, layer_hint)) { 2499 if (!conn->xoff_received) { 2500 connection_start_reading(TO_CONN(conn)); 2501 } 2502 2503 if (connection_get_inbuf_len(TO_CONN(conn)) > 0) 2504 ++n_packaging_streams; 2505 } 2506 } 2507 /* Go back and do the ones we skipped, circular-style */ 2508 for (conn = first_conn; conn != chosen_stream; conn = conn->next_stream) { 2509 if (conn->base_.marked_for_close || conn->package_window <= 0) 2510 continue; 2511 2512 if (edge_uses_cpath(conn, layer_hint)) { 2513 if (!conn->xoff_received) { 2514 connection_start_reading(TO_CONN(conn)); 2515 } 2516 2517 if (connection_get_inbuf_len(TO_CONN(conn)) > 0) 2518 ++n_packaging_streams; 2519 } 2520 } 2521 2522 if (n_packaging_streams == 0) /* avoid divide-by-zero */ 2523 return 0; 2524 2525 again: 2526 2527 /* If we're using conflux, the circuit we decide to send on may change 2528 * after we're sending. Get it again, and re-check package windows 2529 * for it */ 2530 if (circ->conflux) { 2531 if (circuit_consider_stop_edge_reading(circ, layer_hint)) 2532 return -1; 2533 2534 circ = conflux_decide_next_circ(circ->conflux); 2535 2536 /* Get the destination layer hint for this circuit */ 2537 layer_hint = conflux_get_destination_hop(circ); 2538 } 2539 2540 /* How many cells do we have space for? It will be the minimum of 2541 * the number needed to exhaust the package window, and the minimum 2542 * needed to fill the cell queue. */ 2543 max_to_package = congestion_control_get_package_window(circ, layer_hint); 2544 if (CIRCUIT_IS_ORIGIN(circ)) { 2545 cells_on_queue = circ->n_chan_cells.n; 2546 } else { 2547 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); 2548 cells_on_queue = or_circ->p_chan_cells.n; 2549 } 2550 if (cell_queue_highwatermark() - cells_on_queue < max_to_package) 2551 max_to_package = cell_queue_highwatermark() - cells_on_queue; 2552 2553 cells_per_conn = CEIL_DIV(max_to_package, n_packaging_streams); 2554 2555 packaged_this_round = 0; 2556 n_streams_left = 0; 2557 2558 /* Iterate over all connections. Package up to cells_per_conn cells on 2559 * each. Update packaged_this_round with the total number of cells 2560 * packaged, and n_streams_left with the number that still have data to 2561 * package. 2562 */ 2563 for (conn=first_conn; conn; conn=conn->next_stream) { 2564 if (conn->base_.marked_for_close || conn->package_window <= 0) 2565 continue; 2566 if (edge_uses_cpath(conn, layer_hint)) { 2567 int n = cells_per_conn, r; 2568 /* handle whatever might still be on the inbuf */ 2569 r = connection_edge_package_raw_inbuf(conn, 1, &n); 2570 2571 /* Note how many we packaged */ 2572 packaged_this_round += (cells_per_conn-n); 2573 2574 if (r<0) { 2575 /* Problem while packaging. (We already sent an end cell if 2576 * possible) */ 2577 connection_mark_for_close(TO_CONN(conn)); 2578 continue; 2579 } 2580 2581 /* If there's still data to read, we'll be coming back to this stream. */ 2582 if (connection_get_inbuf_len(TO_CONN(conn))) 2583 ++n_streams_left; 2584 2585 /* If the circuit won't accept any more data, return without looking 2586 * at any more of the streams. Any connections that should be stopped 2587 * have already been stopped by connection_edge_package_raw_inbuf. */ 2588 if (circuit_consider_stop_edge_reading(circ, layer_hint)) 2589 return -1; 2590 /* XXXX should we also stop immediately if we fill up the cell queue? 2591 * Probably. */ 2592 } 2593 } 2594 2595 /* If we made progress, and we are willing to package more, and there are 2596 * any streams left that want to package stuff... try again! 2597 */ 2598 if (packaged_this_round && packaged_this_round < max_to_package && 2599 n_streams_left) { 2600 n_packaging_streams = n_streams_left; 2601 goto again; 2602 } 2603 2604 return 0; 2605 } 2606 2607 /** Check if the package window for <b>circ</b> is empty (at 2608 * hop <b>layer_hint</b> if it's defined). 2609 * 2610 * If yes, tell edge streams to stop reading and return 1. 2611 * Else return 0. 2612 */ 2613 static int 2614 circuit_consider_stop_edge_reading(circuit_t *circ, crypt_path_t *layer_hint) 2615 { 2616 edge_connection_t *conn = NULL; 2617 unsigned domain = layer_hint ? LD_APP : LD_EXIT; 2618 2619 if (!layer_hint) { 2620 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); 2621 log_debug(domain,"considering circ->package_window %d", 2622 circ->package_window); 2623 if (circuit_get_package_window(circ, layer_hint) <= 0) { 2624 log_debug(domain,"yes, not-at-origin. stopped."); 2625 for (conn = or_circ->n_streams; conn; conn=conn->next_stream) 2626 connection_stop_reading(TO_CONN(conn)); 2627 return 1; 2628 } 2629 return 0; 2630 } 2631 /* else, layer hint is defined, use it */ 2632 log_debug(domain,"considering layer_hint->package_window %d", 2633 layer_hint->package_window); 2634 if (circuit_get_package_window(circ, layer_hint) <= 0) { 2635 log_debug(domain,"yes, at-origin. stopped."); 2636 for (conn = TO_ORIGIN_CIRCUIT(circ)->p_streams; conn; 2637 conn=conn->next_stream) { 2638 if (edge_uses_cpath(conn, layer_hint)) 2639 connection_stop_reading(TO_CONN(conn)); 2640 } 2641 return 1; 2642 } 2643 return 0; 2644 } 2645 2646 /** The total number of cells we have allocated. */ 2647 static size_t total_cells_allocated = 0; 2648 2649 /** Release storage held by <b>cell</b>. */ 2650 static inline void 2651 packed_cell_free_unchecked(packed_cell_t *cell) 2652 { 2653 --total_cells_allocated; 2654 tor_free(cell); 2655 } 2656 2657 /** Allocate and return a new packed_cell_t. */ 2658 STATIC packed_cell_t * 2659 packed_cell_new(void) 2660 { 2661 ++total_cells_allocated; 2662 return tor_malloc_zero(sizeof(packed_cell_t)); 2663 } 2664 2665 /** Return a packed cell used outside by channel_t lower layer */ 2666 void 2667 packed_cell_free_(packed_cell_t *cell) 2668 { 2669 if (!cell) 2670 return; 2671 packed_cell_free_unchecked(cell); 2672 } 2673 2674 /** Log current statistics for cell pool allocation at log level 2675 * <b>severity</b>. */ 2676 void 2677 dump_cell_pool_usage(int severity) 2678 { 2679 int n_circs = 0; 2680 int n_cells = 0; 2681 SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, c) { 2682 n_cells += c->n_chan_cells.n; 2683 if (!CIRCUIT_IS_ORIGIN(c)) 2684 n_cells += TO_OR_CIRCUIT(c)->p_chan_cells.n; 2685 ++n_circs; 2686 } 2687 SMARTLIST_FOREACH_END(c); 2688 tor_log(severity, LD_MM, 2689 "%d cells allocated on %d circuits. %d cells leaked.", 2690 n_cells, n_circs, (int)total_cells_allocated - n_cells); 2691 } 2692 2693 /** Allocate a new copy of packed <b>cell</b>. */ 2694 static inline packed_cell_t * 2695 packed_cell_copy(const cell_t *cell, int wide_circ_ids) 2696 { 2697 packed_cell_t *c = packed_cell_new(); 2698 cell_pack(c, cell, wide_circ_ids); 2699 return c; 2700 } 2701 2702 /** Append <b>cell</b> to the end of <b>queue</b>. */ 2703 void 2704 cell_queue_append(cell_queue_t *queue, packed_cell_t *cell) 2705 { 2706 TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next); 2707 ++queue->n; 2708 } 2709 2710 /** Append a newly allocated copy of <b>cell</b> to the end of the 2711 * <b>exitward</b> (or app-ward) <b>queue</b> of <b>circ</b>. If 2712 * <b>use_stats</b> is true, record statistics about the cell. 2713 */ 2714 void 2715 cell_queue_append_packed_copy(circuit_t *circ, cell_queue_t *queue, 2716 int exitward, const cell_t *cell, 2717 int wide_circ_ids, int use_stats) 2718 { 2719 packed_cell_t *copy = packed_cell_copy(cell, wide_circ_ids); 2720 (void)circ; 2721 (void)exitward; 2722 (void)use_stats; 2723 2724 copy->inserted_timestamp = monotime_coarse_get_stamp(); 2725 2726 cell_queue_append(queue, copy); 2727 } 2728 2729 /** Initialize <b>queue</b> as an empty cell queue. */ 2730 void 2731 cell_queue_init(cell_queue_t *queue) 2732 { 2733 memset(queue, 0, sizeof(cell_queue_t)); 2734 TOR_SIMPLEQ_INIT(&queue->head); 2735 } 2736 2737 /** Remove and free every cell in <b>queue</b>. */ 2738 void 2739 cell_queue_clear(cell_queue_t *queue) 2740 { 2741 packed_cell_t *cell; 2742 while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) { 2743 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); 2744 packed_cell_free_unchecked(cell); 2745 } 2746 TOR_SIMPLEQ_INIT(&queue->head); 2747 queue->n = 0; 2748 } 2749 2750 /** Extract and return the cell at the head of <b>queue</b>; return NULL if 2751 * <b>queue</b> is empty. */ 2752 STATIC packed_cell_t * 2753 cell_queue_pop(cell_queue_t *queue) 2754 { 2755 packed_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head); 2756 if (!cell) 2757 return NULL; 2758 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); 2759 --queue->n; 2760 return cell; 2761 } 2762 2763 /** Initialize <b>queue</b> as an empty cell queue. */ 2764 void 2765 destroy_cell_queue_init(destroy_cell_queue_t *queue) 2766 { 2767 memset(queue, 0, sizeof(destroy_cell_queue_t)); 2768 TOR_SIMPLEQ_INIT(&queue->head); 2769 } 2770 2771 /** Remove and free every cell in <b>queue</b>. */ 2772 void 2773 destroy_cell_queue_clear(destroy_cell_queue_t *queue) 2774 { 2775 destroy_cell_t *cell; 2776 while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) { 2777 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); 2778 tor_free(cell); 2779 } 2780 TOR_SIMPLEQ_INIT(&queue->head); 2781 queue->n = 0; 2782 } 2783 2784 /** Extract and return the cell at the head of <b>queue</b>; return NULL if 2785 * <b>queue</b> is empty. */ 2786 STATIC destroy_cell_t * 2787 destroy_cell_queue_pop(destroy_cell_queue_t *queue) 2788 { 2789 destroy_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head); 2790 if (!cell) 2791 return NULL; 2792 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); 2793 --queue->n; 2794 return cell; 2795 } 2796 2797 /** Append a destroy cell for <b>circid</b> to <b>queue</b>. */ 2798 void 2799 destroy_cell_queue_append(destroy_cell_queue_t *queue, 2800 circid_t circid, 2801 uint8_t reason) 2802 { 2803 destroy_cell_t *cell = tor_malloc_zero(sizeof(destroy_cell_t)); 2804 cell->circid = circid; 2805 cell->reason = reason; 2806 /* Not yet used, but will be required for OOM handling. */ 2807 cell->inserted_timestamp = monotime_coarse_get_stamp(); 2808 2809 TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next); 2810 ++queue->n; 2811 } 2812 2813 /** Convert a destroy_cell_t to a newly allocated cell_t. Frees its input. */ 2814 static packed_cell_t * 2815 destroy_cell_to_packed_cell(destroy_cell_t *inp, int wide_circ_ids) 2816 { 2817 packed_cell_t *packed = packed_cell_new(); 2818 cell_t cell; 2819 memset(&cell, 0, sizeof(cell)); 2820 cell.circ_id = inp->circid; 2821 cell.command = CELL_DESTROY; 2822 cell.payload[0] = inp->reason; 2823 cell_pack(packed, &cell, wide_circ_ids); 2824 2825 tor_free(inp); 2826 return packed; 2827 } 2828 2829 /** Return the total number of bytes used for each packed_cell in a queue. 2830 * Approximate. */ 2831 size_t 2832 packed_cell_mem_cost(void) 2833 { 2834 return sizeof(packed_cell_t); 2835 } 2836 2837 /* DOCDOC */ 2838 size_t 2839 cell_queues_get_total_allocation(void) 2840 { 2841 return total_cells_allocated * packed_cell_mem_cost(); 2842 } 2843 2844 /** How long after we've been low on memory should we try to conserve it? */ 2845 #define MEMORY_PRESSURE_INTERVAL (30*60) 2846 2847 /** The time at which we were last low on memory. */ 2848 static time_t last_time_under_memory_pressure = 0; 2849 2850 /** Statistics on how many bytes were removed by the OOM per type. */ 2851 uint64_t oom_stats_n_bytes_removed_dns = 0; 2852 uint64_t oom_stats_n_bytes_removed_cell = 0; 2853 uint64_t oom_stats_n_bytes_removed_geoip = 0; 2854 uint64_t oom_stats_n_bytes_removed_hsdir = 0; 2855 2856 /** Check whether we've got too much space used for cells. If so, 2857 * call the OOM handler and return 1. Otherwise, return 0. */ 2858 STATIC int 2859 cell_queues_check_size(void) 2860 { 2861 size_t removed = 0; 2862 time_t now = time(NULL); 2863 size_t alloc = cell_queues_get_total_allocation(); 2864 alloc += half_streams_get_total_allocation(); 2865 alloc += buf_get_total_allocation(); 2866 alloc += tor_compress_get_total_allocation(); 2867 const size_t hs_cache_total = hs_cache_get_total_allocation(); 2868 alloc += hs_cache_total; 2869 const size_t geoip_client_cache_total = 2870 geoip_client_cache_total_allocation(); 2871 alloc += geoip_client_cache_total; 2872 const size_t dns_cache_total = dns_cache_total_allocation(); 2873 alloc += dns_cache_total; 2874 const size_t conflux_total = conflux_get_total_bytes_allocation(); 2875 alloc += conflux_total; 2876 if (alloc >= get_options()->MaxMemInQueues_low_threshold) { 2877 last_time_under_memory_pressure = approx_time(); 2878 if (alloc >= get_options()->MaxMemInQueues) { 2879 /* Note this overload down */ 2880 rep_hist_note_overload(OVERLOAD_GENERAL); 2881 2882 /* If we're spending over the configured limit on hidden service 2883 * descriptors, free them until we're down to 50% of the limit. */ 2884 if (hs_cache_total > hs_cache_get_max_bytes()) { 2885 const size_t bytes_to_remove = 2886 hs_cache_total - (size_t)(hs_cache_get_max_bytes() / 2); 2887 removed = hs_cache_handle_oom(bytes_to_remove); 2888 oom_stats_n_bytes_removed_hsdir += removed; 2889 alloc -= removed; 2890 static ratelim_t hs_cache_oom_ratelim = RATELIM_INIT(600); 2891 log_fn_ratelim(&hs_cache_oom_ratelim, LOG_NOTICE, LD_REND, 2892 "HSDir cache exceeded limit " 2893 "(%"TOR_PRIuSZ " > %"PRIu64 " bytes). " 2894 "Pruned %"TOR_PRIuSZ " bytes during cell_queues_check_size.", 2895 hs_cache_total, hs_cache_get_max_bytes(), removed); 2896 } 2897 if (geoip_client_cache_total > get_options()->MaxMemInQueues / 5) { 2898 const size_t bytes_to_remove = 2899 geoip_client_cache_total - 2900 (size_t)(get_options()->MaxMemInQueues / 10); 2901 removed = geoip_client_cache_handle_oom(now, bytes_to_remove); 2902 oom_stats_n_bytes_removed_geoip += removed; 2903 alloc -= removed; 2904 } 2905 if (dns_cache_total > get_options()->MaxMemInQueues / 5) { 2906 const size_t bytes_to_remove = 2907 dns_cache_total - (size_t)(get_options()->MaxMemInQueues / 10); 2908 removed = dns_cache_handle_oom(now, bytes_to_remove); 2909 oom_stats_n_bytes_removed_dns += removed; 2910 alloc -= removed; 2911 } 2912 /* Like onion service above, try to go down to 10% if we are above 20% */ 2913 if (conflux_total > get_options()->MaxMemInQueues / 5) { 2914 const size_t bytes_to_remove = 2915 conflux_total - (size_t)(get_options()->MaxMemInQueues / 10); 2916 removed = conflux_handle_oom(bytes_to_remove); 2917 oom_stats_n_bytes_removed_cell += removed; 2918 alloc -= removed; 2919 } 2920 removed = circuits_handle_oom(alloc); 2921 oom_stats_n_bytes_removed_cell += removed; 2922 return 1; 2923 } 2924 } 2925 return 0; 2926 } 2927 2928 /** Return true if we've been under memory pressure in the last 2929 * MEMORY_PRESSURE_INTERVAL seconds. */ 2930 bool 2931 have_been_under_memory_pressure(void) 2932 { 2933 return approx_time() < 2934 last_time_under_memory_pressure + MEMORY_PRESSURE_INTERVAL; 2935 } 2936 2937 /** 2938 * Update the number of cells available on the circuit's n_chan or p_chan's 2939 * circuit mux. 2940 */ 2941 void 2942 update_circuit_on_cmux_(circuit_t *circ, cell_direction_t direction, 2943 const char *file, int lineno) 2944 { 2945 channel_t *chan = NULL; 2946 or_circuit_t *or_circ = NULL; 2947 circuitmux_t *cmux = NULL; 2948 2949 tor_assert(circ); 2950 2951 /* Okay, get the channel */ 2952 if (direction == CELL_DIRECTION_OUT) { 2953 chan = circ->n_chan; 2954 } else { 2955 or_circ = TO_OR_CIRCUIT(circ); 2956 chan = or_circ->p_chan; 2957 } 2958 2959 tor_assert(chan); 2960 tor_assert(chan->cmux); 2961 2962 /* Now get the cmux */ 2963 cmux = chan->cmux; 2964 2965 /* Cmux sanity check */ 2966 if (! circuitmux_is_circuit_attached(cmux, circ)) { 2967 log_warn(LD_BUG, "called on non-attached circuit from %s:%d", 2968 file, lineno); 2969 return; 2970 } 2971 tor_assert(circuitmux_attached_circuit_direction(cmux, circ) == direction); 2972 2973 /* Update the number of cells we have for the circuit mux */ 2974 if (direction == CELL_DIRECTION_OUT) { 2975 circuitmux_set_num_cells(cmux, circ, circ->n_chan_cells.n); 2976 } else { 2977 circuitmux_set_num_cells(cmux, circ, or_circ->p_chan_cells.n); 2978 } 2979 } 2980 2981 /** Remove all circuits from the cmux on <b>chan</b>. 2982 * 2983 * If <b>circuits_out</b> is non-NULL, add all detached circuits to 2984 * <b>circuits_out</b>. 2985 **/ 2986 void 2987 channel_unlink_all_circuits(channel_t *chan, smartlist_t *circuits_out) 2988 { 2989 tor_assert(chan); 2990 tor_assert(chan->cmux); 2991 2992 circuitmux_detach_all_circuits(chan->cmux, circuits_out); 2993 chan->num_n_circuits = 0; 2994 chan->num_p_circuits = 0; 2995 } 2996 2997 /** 2998 * Called when a circuit becomes blocked or unblocked due to the channel 2999 * cell queue. 3000 * 3001 * Block (if <b>block</b> is true) or unblock (if <b>block</b> is false) 3002 * every edge connection that is using <b>circ</b> to write to <b>chan</b>, 3003 * and start or stop reading as appropriate. 3004 */ 3005 static void 3006 set_circuit_blocked_on_chan(circuit_t *circ, channel_t *chan, int block) 3007 { 3008 edge_connection_t *edge = NULL; 3009 if (circ->n_chan == chan) { 3010 circ->circuit_blocked_on_n_chan = block; 3011 if (CIRCUIT_IS_ORIGIN(circ)) 3012 edge = TO_ORIGIN_CIRCUIT(circ)->p_streams; 3013 } else { 3014 circ->circuit_blocked_on_p_chan = block; 3015 tor_assert(!CIRCUIT_IS_ORIGIN(circ)); 3016 edge = TO_OR_CIRCUIT(circ)->n_streams; 3017 } 3018 3019 set_block_state_for_streams(circ, edge, block, 0); 3020 } 3021 3022 /** 3023 * Helper function to block or unblock streams in a stream list. 3024 * 3025 * If <b>stream_id</b> is 0, apply the <b>block</b> state to all streams 3026 * in the stream list. If it is non-zero, only apply to that specific stream. 3027 */ 3028 static void 3029 set_block_state_for_streams(circuit_t *circ, edge_connection_t *stream_list, 3030 int block, streamid_t stream_id) 3031 { 3032 /* If we have a conflux object, we need to examine its status before 3033 * blocking and unblocking streams. */ 3034 if (circ->conflux) { 3035 bool can_send = conflux_can_send(circ->conflux); 3036 3037 if (block && can_send) { 3038 /* Don't actually block streams, since conflux can send*/ 3039 return; 3040 } else if (!block && !can_send) { 3041 /* Don't actually unblock streams, since conflux still can't send */ 3042 return; 3043 } 3044 } 3045 3046 for (edge_connection_t *edge = stream_list; edge; edge = edge->next_stream) { 3047 connection_t *conn = TO_CONN(edge); 3048 if (stream_id && edge->stream_id != stream_id) 3049 continue; 3050 3051 if (!conn->read_event || edge->xoff_received || 3052 conn->marked_for_close) { 3053 /* This connection should not start or stop reading. */ 3054 continue; 3055 } 3056 3057 if (block) { 3058 if (connection_is_reading(conn)) 3059 connection_stop_reading(conn); 3060 } else { 3061 /* Is this right? */ 3062 if (!connection_is_reading(conn)) 3063 connection_start_reading(conn); 3064 } 3065 } 3066 } 3067 3068 /** Extract the command from a packed cell. */ 3069 uint8_t 3070 packed_cell_get_command(const packed_cell_t *cell, int wide_circ_ids) 3071 { 3072 if (wide_circ_ids) { 3073 return get_uint8(cell->body+4); 3074 } else { 3075 return get_uint8(cell->body+2); 3076 } 3077 } 3078 3079 /** Extract the circuit ID from a packed cell. */ 3080 circid_t 3081 packed_cell_get_circid(const packed_cell_t *cell, int wide_circ_ids) 3082 { 3083 if (wide_circ_ids) { 3084 return ntohl(get_uint32(cell->body)); 3085 } else { 3086 return ntohs(get_uint16(cell->body)); 3087 } 3088 } 3089 3090 /** Pull as many cells as possible (but no more than <b>max</b>) from the 3091 * queue of the first active circuit on <b>chan</b>, and write them to 3092 * <b>chan</b>->outbuf. Return the number of cells written. Advance 3093 * the active circuit pointer to the next active circuit in the ring. */ 3094 MOCK_IMPL(int, 3095 channel_flush_from_first_active_circuit, (channel_t *chan, int max)) 3096 { 3097 circuitmux_t *cmux = NULL; 3098 int n_flushed = 0; 3099 cell_queue_t *queue; 3100 destroy_cell_queue_t *destroy_queue=NULL; 3101 circuit_t *circ; 3102 or_circuit_t *or_circ; 3103 int circ_blocked; 3104 packed_cell_t *cell; 3105 3106 /* Get the cmux */ 3107 tor_assert(chan); 3108 tor_assert(chan->cmux); 3109 cmux = chan->cmux; 3110 3111 /* Main loop: pick a circuit, send a cell, update the cmux */ 3112 while (n_flushed < max) { 3113 circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue); 3114 if (destroy_queue) { 3115 destroy_cell_t *dcell; 3116 /* this code is duplicated from some of the logic below. Ugly! XXXX */ 3117 /* If we are given a destroy_queue here, then it is required to be 3118 * nonempty... */ 3119 tor_assert(destroy_queue->n > 0); 3120 dcell = destroy_cell_queue_pop(destroy_queue); 3121 /* ...and pop() will always yield a cell from a nonempty queue. */ 3122 tor_assert(dcell); 3123 /* frees dcell */ 3124 cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids); 3125 /* Send the DESTROY cell. It is very unlikely that this fails but just 3126 * in case, get rid of the channel. */ 3127 if (channel_write_packed_cell(chan, cell) < 0) { 3128 /* The cell has been freed. */ 3129 channel_mark_for_close(chan); 3130 continue; 3131 } 3132 /* Update the cmux destroy counter */ 3133 circuitmux_notify_xmit_destroy(cmux); 3134 cell = NULL; 3135 ++n_flushed; 3136 continue; 3137 } 3138 /* If it returns NULL, no cells left to send */ 3139 if (!circ) break; 3140 3141 if (circ->n_chan == chan) { 3142 queue = &circ->n_chan_cells; 3143 circ_blocked = circ->circuit_blocked_on_n_chan; 3144 } else { 3145 or_circ = TO_OR_CIRCUIT(circ); 3146 tor_assert(or_circ->p_chan == chan); 3147 queue = &TO_OR_CIRCUIT(circ)->p_chan_cells; 3148 circ_blocked = circ->circuit_blocked_on_p_chan; 3149 } 3150 3151 /* Circuitmux told us this was active, so it should have cells. 3152 * 3153 * Note: In terms of logic and coherence, this should never happen but the 3154 * cmux dragon is powerful. Reason is that when the OOM is triggered, when 3155 * cleaning up circuits, we mark them for close and then clear their cell 3156 * queues. And so, we can have a circuit considered active by the cmux 3157 * dragon but without cells. The cmux subsystem is only notified of this 3158 * when the circuit is freed which leaves a tiny window between close and 3159 * free to end up here. 3160 * 3161 * We are accepting this as an "ok" race else the changes are likely non 3162 * trivial to make the mark for close to set the num cells to 0 and change 3163 * the free functions to detach the circuit conditionally without creating 3164 * a chain effect of madness. 3165 * 3166 * The lesson here is arti will prevail and leave the cmux dragon alone. */ 3167 if (queue->n == 0) { 3168 circuitmux_set_num_cells(cmux, circ, 0); 3169 if (! circ->marked_for_close) 3170 circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); 3171 continue; 3172 } 3173 3174 tor_assert(queue->n > 0); 3175 3176 /* 3177 * Get just one cell here; once we've sent it, that can change the circuit 3178 * selection, so we have to loop around for another even if this circuit 3179 * has more than one. 3180 */ 3181 cell = cell_queue_pop(queue); 3182 3183 /* Calculate the exact time that this cell has spent in the queue. */ 3184 if (get_options()->CellStatistics || 3185 get_options()->TestingEnableCellStatsEvent) { 3186 uint32_t timestamp_now = monotime_coarse_get_stamp(); 3187 uint32_t msec_waiting = 3188 (uint32_t) monotime_coarse_stamp_units_to_approx_msec( 3189 timestamp_now - cell->inserted_timestamp); 3190 3191 if (get_options()->CellStatistics && !CIRCUIT_IS_ORIGIN(circ)) { 3192 or_circ = TO_OR_CIRCUIT(circ); 3193 or_circ->total_cell_waiting_time += msec_waiting; 3194 or_circ->processed_cells++; 3195 } 3196 3197 if (get_options()->TestingEnableCellStatsEvent) { 3198 uint8_t command = packed_cell_get_command(cell, chan->wide_circ_ids); 3199 3200 testing_cell_stats_entry_t *ent = 3201 tor_malloc_zero(sizeof(testing_cell_stats_entry_t)); 3202 ent->command = command; 3203 ent->waiting_time = msec_waiting / 10; 3204 ent->removed = 1; 3205 if (circ->n_chan == chan) 3206 ent->exitward = 1; 3207 if (!circ->testing_cell_stats) 3208 circ->testing_cell_stats = smartlist_new(); 3209 smartlist_add(circ->testing_cell_stats, ent); 3210 } 3211 } 3212 3213 /* If we just flushed our queue and this circuit is used for a 3214 * tunneled directory request, possibly advance its state. */ 3215 if (queue->n == 0 && chan->dirreq_id) 3216 geoip_change_dirreq_state(chan->dirreq_id, 3217 DIRREQ_TUNNELED, 3218 DIRREQ_CIRC_QUEUE_FLUSHED); 3219 3220 /* Now send the cell. It is very unlikely that this fails but just in 3221 * case, get rid of the channel. */ 3222 if (channel_write_packed_cell(chan, cell) < 0) { 3223 /* The cell has been freed at this point. */ 3224 channel_mark_for_close(chan); 3225 continue; 3226 } 3227 cell = NULL; 3228 3229 /* 3230 * Don't packed_cell_free_unchecked(cell) here because the channel will 3231 * do so when it gets out of the channel queue (probably already did, in 3232 * which case that was an immediate double-free bug). 3233 */ 3234 3235 /* Update the counter */ 3236 ++n_flushed; 3237 3238 /* 3239 * Now update the cmux; tell it we've just sent a cell, and how many 3240 * we have left. 3241 */ 3242 circuitmux_notify_xmit_cells(cmux, circ, 1); 3243 circuitmux_set_num_cells(cmux, circ, queue->n); 3244 if (queue->n == 0) 3245 log_debug(LD_GENERAL, "Made a circuit inactive."); 3246 3247 /* Is the cell queue low enough to unblock all the streams that are waiting 3248 * to write to this circuit? */ 3249 if (circ_blocked && queue->n <= cell_queue_lowwatermark()) 3250 set_circuit_blocked_on_chan(circ, chan, 0); /* unblock streams */ 3251 3252 /* If n_flushed < max still, loop around and pick another circuit */ 3253 } 3254 3255 /* Okay, we're done sending now */ 3256 return n_flushed; 3257 } 3258 3259 /* Minimum value is the maximum circuit window size. 3260 * 3261 * This value is set to a lower bound we believe is reasonable with congestion 3262 * control and basic network running parameters. 3263 * 3264 * SENDME cells makes it that we can control how many cells can be inflight on 3265 * a circuit from end to end. This logic makes it that on any circuit cell 3266 * queue, we have a maximum of cells possible. 3267 * 3268 * Because the Tor protocol allows for a client to exit at any hop in a 3269 * circuit and a circuit can be of a maximum of 8 hops, so in theory the 3270 * normal worst case will be the circuit window start value times the maximum 3271 * number of hops (8). Having more cells then that means something is wrong. 3272 * 3273 * However, because padding cells aren't counted in the package window, we set 3274 * the maximum size to a reasonably large size for which we expect that we'll 3275 * never reach in theory. And if we ever do because of future changes, we'll 3276 * be able to control it with a consensus parameter. 3277 * 3278 * XXX: Unfortunately, END cells aren't accounted for in the circuit window 3279 * which means that for instance if a client opens 8001 streams, the 8001 3280 * following END cells will queue up in the circuit which will get closed if 3281 * the max limit is 8000. Which is sad because it is allowed by the Tor 3282 * protocol. But, we need an upper bound on circuit queue in order to avoid 3283 * DoS memory pressure so the default size is a middle ground between not 3284 * having any limit and having a very restricted one. This is why we can also 3285 * control it through a consensus parameter. */ 3286 #define RELAY_CIRC_CELL_QUEUE_SIZE_MIN 50 3287 /* We can't have a consensus parameter above this value. */ 3288 #define RELAY_CIRC_CELL_QUEUE_SIZE_MAX INT32_MAX 3289 /* Default value is set to a large value so we can handle padding cells 3290 * properly which aren't accounted for in the SENDME window. Default is 2500 3291 * allowed cells in the queue resulting in ~1MB. */ 3292 #define RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT \ 3293 (50 * RELAY_CIRC_CELL_QUEUE_SIZE_MIN) 3294 3295 /* The maximum number of cells a circuit queue can contain. This is updated at 3296 * every new consensus and controlled by a parameter. */ 3297 static int32_t max_circuit_cell_queue_size = 3298 RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT; 3299 /** Maximum number of cell on an outbound circuit queue. This is updated at 3300 * every new consensus and controlled by a parameter. This default is incorrect 3301 * and won't be used at all except in unit tests. */ 3302 static int32_t max_circuit_cell_queue_size_out = 3303 RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT; 3304 3305 /** Return consensus parameter "circ_max_cell_queue_size". The given ns can be 3306 * NULL. */ 3307 static uint32_t 3308 get_param_max_circuit_cell_queue_size(const networkstatus_t *ns) 3309 { 3310 return networkstatus_get_param(ns, "circ_max_cell_queue_size", 3311 RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT, 3312 RELAY_CIRC_CELL_QUEUE_SIZE_MIN, 3313 RELAY_CIRC_CELL_QUEUE_SIZE_MAX); 3314 } 3315 3316 /** Return consensus parameter "circ_max_cell_queue_size_out". The given ns can 3317 * be NULL. */ 3318 static uint32_t 3319 get_param_max_circuit_cell_queue_size_out(const networkstatus_t *ns) 3320 { 3321 return networkstatus_get_param(ns, "circ_max_cell_queue_size_out", 3322 get_param_max_circuit_cell_queue_size(ns), 3323 RELAY_CIRC_CELL_QUEUE_SIZE_MIN, 3324 RELAY_CIRC_CELL_QUEUE_SIZE_MAX); 3325 } 3326 3327 /* Called when the consensus has changed. At this stage, the global consensus 3328 * object has NOT been updated. It is called from 3329 * notify_before_networkstatus_changes(). */ 3330 void 3331 relay_consensus_has_changed(const networkstatus_t *ns) 3332 { 3333 tor_assert(ns); 3334 3335 /* Update the circuit max cell queue size from the consensus. */ 3336 max_circuit_cell_queue_size = 3337 get_param_max_circuit_cell_queue_size(ns); 3338 max_circuit_cell_queue_size_out = 3339 get_param_max_circuit_cell_queue_size_out(ns); 3340 } 3341 3342 /** Add <b>cell</b> to the queue of <b>circ</b> writing to <b>chan</b> 3343 * transmitting in <b>direction</b>. 3344 * 3345 * The given <b>cell</b> is copied onto the circuit queue so the caller must 3346 * cleanup the memory. 3347 * 3348 * This function is part of the fast path. 3349 * 3350 * Return 1 if the cell was successfully sent. 3351 * Return 0 if the cell can not be sent. The caller MUST NOT close the circuit. 3352 * Return -1 indicating an error and that the caller should mark the circuit 3353 * for close. */ 3354 int 3355 append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan, 3356 cell_t *cell, cell_direction_t direction, 3357 streamid_t fromstream) 3358 { 3359 or_circuit_t *orcirc = NULL; 3360 edge_connection_t *stream_list = NULL; 3361 cell_queue_t *queue; 3362 int32_t max_queue_size; 3363 int circ_blocked; 3364 int exitward; 3365 if (circ->marked_for_close) { 3366 return 0; 3367 } 3368 3369 exitward = (direction == CELL_DIRECTION_OUT); 3370 if (exitward) { 3371 queue = &circ->n_chan_cells; 3372 circ_blocked = circ->circuit_blocked_on_n_chan; 3373 max_queue_size = max_circuit_cell_queue_size_out; 3374 if (CIRCUIT_IS_ORIGIN(circ)) 3375 stream_list = TO_ORIGIN_CIRCUIT(circ)->p_streams; 3376 } else { 3377 orcirc = TO_OR_CIRCUIT(circ); 3378 queue = &orcirc->p_chan_cells; 3379 circ_blocked = circ->circuit_blocked_on_p_chan; 3380 max_queue_size = max_circuit_cell_queue_size; 3381 stream_list = TO_OR_CIRCUIT(circ)->n_streams; 3382 } 3383 3384 if (PREDICT_UNLIKELY(queue->n >= max_queue_size)) { 3385 /* This DoS defense only applies at the Guard as in the p_chan is likely 3386 * a client IP attacking the network. */ 3387 if (exitward && CIRCUIT_IS_ORCIRC(circ)) { 3388 stats_n_circ_max_cell_outq_reached++; 3389 dos_note_circ_max_outq(CONST_TO_OR_CIRCUIT(circ)->p_chan); 3390 } 3391 3392 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, 3393 "%s circuit has %d cells in its queue, maximum allowed is %d. " 3394 "Closing circuit for safety reasons.", 3395 (exitward) ? "Outbound" : "Inbound", queue->n, 3396 max_queue_size); 3397 stats_n_circ_max_cell_reached++; 3398 return -1; 3399 } 3400 3401 /* Very important that we copy to the circuit queue because all calls to 3402 * this function use the stack for the cell memory. */ 3403 cell_queue_append_packed_copy(circ, queue, exitward, cell, 3404 chan->wide_circ_ids, 1); 3405 3406 /* Check and run the OOM if needed. */ 3407 if (PREDICT_UNLIKELY(cell_queues_check_size())) { 3408 /* We ran the OOM handler which might have closed this circuit. */ 3409 if (circ->marked_for_close) { 3410 return 0; 3411 } 3412 } 3413 3414 /* If we have too many cells on the circuit, note that it should 3415 * be blocked from new cells. */ 3416 if (!circ_blocked && queue->n >= cell_queue_highwatermark()) 3417 set_circuit_blocked_on_chan(circ, chan, 1); 3418 3419 if (circ_blocked && fromstream) { 3420 /* This edge connection is apparently not blocked; this can happen for 3421 * new streams on a blocked circuit, for their CONNECTED response. 3422 * block it now, unless we have conflux. */ 3423 set_block_state_for_streams(circ, stream_list, 1, fromstream); 3424 } 3425 3426 update_circuit_on_cmux(circ, direction); 3427 if (queue->n == 1) { 3428 /* This was the first cell added to the queue. We just made this 3429 * circuit active. */ 3430 log_debug(LD_GENERAL, "Made a circuit active."); 3431 } 3432 3433 /* New way: mark this as having waiting cells for the scheduler */ 3434 scheduler_channel_has_waiting_cells(chan); 3435 return 1; 3436 } 3437 3438 /** Append an encoded value of <b>addr</b> to <b>payload_out</b>, which must 3439 * have at least 18 bytes of free space. The encoding is, as specified in 3440 * tor-spec.txt: 3441 * RESOLVED_TYPE_IPV4 or RESOLVED_TYPE_IPV6 [1 byte] 3442 * LENGTH [1 byte] 3443 * ADDRESS [length bytes] 3444 * Return the number of bytes added, or -1 on error */ 3445 int 3446 append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr) 3447 { 3448 uint32_t a; 3449 switch (tor_addr_family(addr)) { 3450 case AF_INET: 3451 payload_out[0] = RESOLVED_TYPE_IPV4; 3452 payload_out[1] = 4; 3453 a = tor_addr_to_ipv4n(addr); 3454 memcpy(payload_out+2, &a, 4); 3455 return 6; 3456 case AF_INET6: 3457 payload_out[0] = RESOLVED_TYPE_IPV6; 3458 payload_out[1] = 16; 3459 memcpy(payload_out+2, tor_addr_to_in6_addr8(addr), 16); 3460 return 18; 3461 case AF_UNSPEC: 3462 default: 3463 return -1; 3464 } 3465 } 3466 3467 /** Given <b>payload_len</b> bytes at <b>payload</b>, starting with an address 3468 * encoded as by append_address_to_payload(), try to decode the address into 3469 * *<b>addr_out</b>. Return the next byte in the payload after the address on 3470 * success, or NULL on failure. */ 3471 const uint8_t * 3472 decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload, 3473 int payload_len) 3474 { 3475 if (payload_len < 2) 3476 return NULL; 3477 if (payload_len < 2+payload[1]) 3478 return NULL; 3479 3480 switch (payload[0]) { 3481 case RESOLVED_TYPE_IPV4: 3482 if (payload[1] != 4) 3483 return NULL; 3484 tor_addr_from_ipv4n(addr_out, get_uint32(payload+2)); 3485 break; 3486 case RESOLVED_TYPE_IPV6: 3487 if (payload[1] != 16) 3488 return NULL; 3489 tor_addr_from_ipv6_bytes(addr_out, (payload+2)); 3490 break; 3491 default: 3492 tor_addr_make_unspec(addr_out); 3493 break; 3494 } 3495 return payload + 2 + payload[1]; 3496 } 3497 3498 /** Remove all the cells queued on <b>circ</b> for <b>chan</b>. */ 3499 void 3500 circuit_clear_cell_queue(circuit_t *circ, channel_t *chan) 3501 { 3502 cell_queue_t *queue; 3503 cell_direction_t direction; 3504 3505 if (circ->n_chan == chan) { 3506 queue = &circ->n_chan_cells; 3507 direction = CELL_DIRECTION_OUT; 3508 } else { 3509 or_circuit_t *orcirc = TO_OR_CIRCUIT(circ); 3510 tor_assert(orcirc->p_chan == chan); 3511 queue = &orcirc->p_chan_cells; 3512 direction = CELL_DIRECTION_IN; 3513 } 3514 3515 /* Clear the queue */ 3516 cell_queue_clear(queue); 3517 3518 /* Update the cell counter in the cmux */ 3519 if (chan->cmux && circuitmux_is_circuit_attached(chan->cmux, circ)) 3520 update_circuit_on_cmux(circ, direction); 3521 } 3522 3523 /** Return 1 if we shouldn't restart reading on this circuit, even if 3524 * we get a SENDME. Else return 0. 3525 */ 3526 static int 3527 circuit_queue_streams_are_blocked(circuit_t *circ) 3528 { 3529 if (CIRCUIT_IS_ORIGIN(circ)) { 3530 return circ->circuit_blocked_on_n_chan; 3531 } else { 3532 return circ->circuit_blocked_on_p_chan; 3533 } 3534 } 3535 3536 /** Return the format to use. 3537 * 3538 * NULL can be passed but not for both. */ 3539 relay_cell_fmt_t 3540 circuit_get_relay_format(const circuit_t *circ, const crypt_path_t *cpath) 3541 { 3542 if (circ && CIRCUIT_IS_ORCIRC(circ)) { 3543 return CONST_TO_OR_CIRCUIT(circ)->relay_cell_format; 3544 } else if (cpath) { 3545 return cpath->relay_cell_format; 3546 } else { 3547 /* We end up here when both params are NULL, which is not allowed, or when 3548 * only an origin circuit is given (which again is not allowed). */ 3549 tor_assert_unreached(); 3550 } 3551 } 3552 3553 /** 3554 * Return the maximum relay payload that can be sent to the chosen 3555 * point, with the specified command. 3556 */ 3557 size_t 3558 circuit_max_relay_payload(const circuit_t *circ, const crypt_path_t *cpath, 3559 uint8_t relay_command) 3560 { 3561 relay_cell_fmt_t fmt = circuit_get_relay_format(circ, cpath); 3562 return relay_cell_max_payload_size(fmt, relay_command); 3563 }